Re: Cakephp Forms Security Flaw

2009-05-26 Thread @zghanv/- 

Nice ... i would say ...

it was undocumented for cake1.1
i checked it in core file now ..

function save($data = null, $validate = true, $fieldList = array()) {

Thanks.

On May 4, 3:04 pm, BeroFX ber...@gmail.com wrote:
 Well, first of all, you need to validate the data before saving it.

 http://book.cakephp.org/view/125/Data-Validation

 Then, you might consider sanitizating the submited data

 http://book.cakephp.org/view/153/Data-Sanitization

 And then, you can even go ahead and allow only certain fields to be
 saved

 http://book.cakephp.org/view/75/Saving-Your-Data

 The code provided in the tutorial is only to get you to start coding
 as fast as possible, and then build off that.

 On May 4, 10:35 am, AzGhanv/. azgha...@gmail.com wrote:

  I was checking tihs tutorial 
  ...http://book.cakephp.org/view/326/The-Cake-Blog-Tutorial

  Here I see a big security flaw ... and I think this practice is used
  throughout the framework.

  #  function add()
  # {
  # if (!empty($this-data))
  # {
  # if ($this-Post-save($this-data))
  # {
  # $this-flash('Your post has been saved.','/posts');
  # }
  # }
  # }

  We create HTML forms input with name like 'data[Post][field_name]' ...
  and on post back we can access it using $this-data.

  and that data array contains array of Post as in our input name.

  Concern:
  As value in input field_name directly maps to our DB field, if some
  one tamper your HTML form by guessing database field name ... we have
  no checks.

  I want to know, is there any base solution provided by cakephp, or we
  have to recheck the posted fields manually again.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Cakephp Forms Security Flaw

2009-05-04 Thread AzGhanv/. 

I was checking tihs tutorial ...
http://book.cakephp.org/view/326/The-Cake-Blog-Tutorial

Here I see a big security flaw ... and I think this practice is used
throughout the framework.

#  function add()
# {
# if (!empty($this-data))
# {
# if ($this-Post-save($this-data))
# {
# $this-flash('Your post has been saved.','/posts');
# }
# }
# }

We create HTML forms input with name like 'data[Post][field_name]' ...
and on post back we can access it using $this-data.

and that data array contains array of Post as in our input name.

Concern:
As value in input field_name directly maps to our DB field, if some
one tamper your HTML form by guessing database field name ... we have
no checks.

I want to know, is there any base solution provided by cakephp, or we
have to recheck the posted fields manually again.


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Re: Cakephp Forms Security Flaw

2009-05-04 Thread BeroFX 

Well, first of all, you need to validate the data before saving it.

http://book.cakephp.org/view/125/Data-Validation

Then, you might consider sanitizating the submited data

http://book.cakephp.org/view/153/Data-Sanitization

And then, you can even go ahead and allow only certain fields to be
saved

http://book.cakephp.org/view/75/Saving-Your-Data


The code provided in the tutorial is only to get you to start coding
as fast as possible, and then build off that.

On May 4, 10:35 am, AzGhanv/. azgha...@gmail.com wrote:
 I was checking tihs tutorial 
 ...http://book.cakephp.org/view/326/The-Cake-Blog-Tutorial

 Here I see a big security flaw ... and I think this practice is used
 throughout the framework.

 #  function add()
 # {
 # if (!empty($this-data))
 # {
 # if ($this-Post-save($this-data))
 # {
 # $this-flash('Your post has been saved.','/posts');
 # }
 # }
 # }

 We create HTML forms input with name like 'data[Post][field_name]' ...
 and on post back we can access it using $this-data.

 and that data array contains array of Post as in our input name.

 Concern:
 As value in input field_name directly maps to our DB field, if some
 one tamper your HTML form by guessing database field name ... we have
 no checks.

 I want to know, is there any base solution provided by cakephp, or we
 have to recheck the posted fields manually again.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---