Re: Cakephp Forms Security Flaw
Nice ... i would say ... it was undocumented for cake1.1 i checked it in core file now .. function save($data = null, $validate = true, $fieldList = array()) { Thanks. On May 4, 3:04 pm, BeroFX ber...@gmail.com wrote: Well, first of all, you need to validate the data before saving it. http://book.cakephp.org/view/125/Data-Validation Then, you might consider sanitizating the submited data http://book.cakephp.org/view/153/Data-Sanitization And then, you can even go ahead and allow only certain fields to be saved http://book.cakephp.org/view/75/Saving-Your-Data The code provided in the tutorial is only to get you to start coding as fast as possible, and then build off that. On May 4, 10:35 am, AzGhanv/. azgha...@gmail.com wrote: I was checking tihs tutorial ...http://book.cakephp.org/view/326/The-Cake-Blog-Tutorial Here I see a big security flaw ... and I think this practice is used throughout the framework. # function add() # { # if (!empty($this-data)) # { # if ($this-Post-save($this-data)) # { # $this-flash('Your post has been saved.','/posts'); # } # } # } We create HTML forms input with name like 'data[Post][field_name]' ... and on post back we can access it using $this-data. and that data array contains array of Post as in our input name. Concern: As value in input field_name directly maps to our DB field, if some one tamper your HTML form by guessing database field name ... we have no checks. I want to know, is there any base solution provided by cakephp, or we have to recheck the posted fields manually again. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Cakephp Forms Security Flaw
I was checking tihs tutorial ... http://book.cakephp.org/view/326/The-Cake-Blog-Tutorial Here I see a big security flaw ... and I think this practice is used throughout the framework. # function add() # { # if (!empty($this-data)) # { # if ($this-Post-save($this-data)) # { # $this-flash('Your post has been saved.','/posts'); # } # } # } We create HTML forms input with name like 'data[Post][field_name]' ... and on post back we can access it using $this-data. and that data array contains array of Post as in our input name. Concern: As value in input field_name directly maps to our DB field, if some one tamper your HTML form by guessing database field name ... we have no checks. I want to know, is there any base solution provided by cakephp, or we have to recheck the posted fields manually again. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Cakephp Forms Security Flaw
Well, first of all, you need to validate the data before saving it. http://book.cakephp.org/view/125/Data-Validation Then, you might consider sanitizating the submited data http://book.cakephp.org/view/153/Data-Sanitization And then, you can even go ahead and allow only certain fields to be saved http://book.cakephp.org/view/75/Saving-Your-Data The code provided in the tutorial is only to get you to start coding as fast as possible, and then build off that. On May 4, 10:35 am, AzGhanv/. azgha...@gmail.com wrote: I was checking tihs tutorial ...http://book.cakephp.org/view/326/The-Cake-Blog-Tutorial Here I see a big security flaw ... and I think this practice is used throughout the framework. # function add() # { # if (!empty($this-data)) # { # if ($this-Post-save($this-data)) # { # $this-flash('Your post has been saved.','/posts'); # } # } # } We create HTML forms input with name like 'data[Post][field_name]' ... and on post back we can access it using $this-data. and that data array contains array of Post as in our input name. Concern: As value in input field_name directly maps to our DB field, if some one tamper your HTML form by guessing database field name ... we have no checks. I want to know, is there any base solution provided by cakephp, or we have to recheck the posted fields manually again. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---