No, the security component does not prevent you against that. There most be
some place where you are passing raw input into a query.
On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote:
>
> Hi,
>
> I've just launched a site for a client that had quite a big form in it
> that people were spending a long time trying to complete. Because some
> people were walking away form the form then coming back later and trying to
> submit their security tokens were expiring so the client asked me to
> disable security for that form.
>
> I did the following:
> if ($this->request->action == 'add') {
> $this->Security->validatePost = false;
> $this->Security->csrfCheck = false;
> }
>
> Fast forward to this evening and someone has managed to delete the users
> table from the database. Could disabling validatePost and csrfCheck have
> allowed someone to do SQL Inject a table drop?
>
> Thanks,
>
> Paul.
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
