Re: file upload
You should be aware that this doesn't protect the files themselves in any way. If a user knows, or can guess, the name of a file that exists within that directory they can still browse directly to it. On Feb 22, 8:23 am, "bingo" <[EMAIL PROTECTED]> wrote: > Hi, > > Thanks for all your reply. I think putting .htaccess is better than > puttin index.html. This is because I will have multiple folders > insidefilesdirectory. If I use index.html then I will need to put > index.html in all the sub directory too. However, If I just put > one .htaccess in thefilesdirectory, it can control browsing > behaviour for all the subdirectory too. > > Regards, > Ritesh > > On Feb 22, 7:05 am, "John" <[EMAIL PROTECTED]> wrote: > > > Hi > > > Or just add a blank index.html file to thefilesdirectory - people > > trying to browse will just see a blank page - and of course you can > > edit the file to show whatever you want. > > > John --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
$conditions array edge case - potential security concern
I bring this subject up because I've seen this problem in a few
authentication components in the bakery. The problem is in the way
that Cake will happily let you use any sql operator as part of the
$conditions array; if you aren't careful you'll end up letting the
user select it for you.
For example:
$conditions = array("User.username" => $username, "User.password" =>
sha1($password));
The problem is that no comparison operator has been specified as part
of the username value. So, if an attacker at my site entered (without
quotes): "or 1=1" into the username field on my page, cake will use
the or operator as part of this query. Thus, or sql statement will
look something like this:
SELECT * FROM users u where username or 1=1 and password =
hashedwhatever;
Although it looks weird, this query will execute and it will find the
first user in the database with a matching password. While this won't
give the attacker immediate access to your application, it does make
his job considerably easier. Brute-forcing is now no longer username
dependent. All it takes is one user with a weak password and the
attacker will be into your app.
Note that this is how the cakephp manual says to construct simple
equality checks with the $conditions array. In order to fix this you
must be more explicit:
$conditions = array("User.username" => "= " . $username,
"User.password" => "= " . sha1($password));
So, please be careful when constructing finds with the conditions
array. Any time that you don't want the user to be able to choose the
comparison operator you must specify it yourself.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Table names
just put this in your model: var $useTable = 'tblModules'; --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~--~~~~--~~--~--~---
Re: setFlash problem
Just had a conversation with gwoo on IRC about this. To fix this, just
add:
if(is_object($controller))
{
}
around the View constructor. Thanks again gwoo.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/cake-php
-~--~~~~--~~--~--~---
Re: setFlash problem
I'm having this exact same problem. Any ideas about this one? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~--~~~~--~~--~--~---
