No, the security component does not prevent you against that. There most be some place where you are passing raw input into a query.
On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote: > > Hi, > > I've just launched a site for a client that had quite a big form in it > that people were spending a long time trying to complete. Because some > people were walking away form the form then coming back later and trying to > submit their security tokens were expiring so the client asked me to > disable security for that form. > > I did the following: > if ($this->request->action == 'add') { > $this->Security->validatePost = false; > $this->Security->csrfCheck = false; > } > > Fast forward to this evening and someone has managed to delete the users > table from the database. Could disabling validatePost and csrfCheck have > allowed someone to do SQL Inject a table drop? > > Thanks, > > Paul. > -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.