Hi Dave,
In terms of security, my opinion is that your concern should be with how the
data is protected rather than the profiles a person can have. I was
responsible for the architecture of a major real estate application and we
implemented it in a similar way that you mentioned. Each user had
What would be the security holes to watch for in a situation like this
Everyone who registers is a user
User is then broken up into one of 2 groups depending on what role they
select (think of a real estate site where you maybe looking for a home or
selling so your either a buyer or seller
monial. I am happy with whatever provides the fastest,
> > easiest solution. I will even consider removing the testimonials
> > submission page altogether. (If I had been able to find this page it
> > would be long gone)
>
> > My site is hosted with godaddy and I have acces
r. (If I had been able to find this page it
> would be long gone)
>
> My site is hosted with godaddy and I have access to all of my files.
> My website is:www.gemni-gems.com.
In short use the security component for your ssl problem, and in part
to address your spam problem too (see b
. In the admin panel you could just select
> > which to publish and do an UpdateAll, or something along those lines,
> > and then delete the rest. As for the ssl cert I believe that using the
> > Security component and you can tell it to requireSecure, meaning ssl
> > on specific
elect
> which to publish and do an UpdateAll, or something along those lines,
> and then delete the rest. As for the ssl cert I believe that using the
> Security component and you can tell it to requireSecure, meaning ssl
> on specific actions.
>
> On Jul 11, 4:49 pm, bonkycat wro
Upon adding the testimonial have a field in the database, like a
published tinyint(1) field. In the admin panel you could just select
which to publish and do an UpdateAll, or something along those lines,
and then delete the rest. As for the ssl cert I believe that using the
Security component and
I have read and searched for help, but my limited (lack) of
understanding is a serious handicap. I can't seem to see what version
of CakePHP he used to build my site, my apologies in advance.
The developer left my site half built, but functional, and I do need
someone to complete the work, but h
Hello!
I would like to use security component with digest authentication,
buth I can't find any example how to use it, there's only basic auth
in Cake doc. Could you help me and give and example of using it?
--~--~-~--~~~---~--~~
You received this messa
SOLUTION:
It will blackhole if none of the radios are selected. Suppose that
makes sense. So always assign a default.
Cheers
On Jun 24, 11:59 am, lazlo2019 wrote:
> Hi guys
>
> Quick question. Any ideas why this:
>
> $io = array('error' => false); // input options
> $genders = array('m' => 'M
Hi guys
Quick question. Any ideas why this:
$io = array('error' => false); // input options
$genders = array('m' => 'Male', 'f' => 'Female');
echo $form->input('gender', $io + array('type' => 'radio', 'options'
=> $genders, 'legend' => false, 'before' => 'Gender'));
should cause a form to blac
o use
> php as a middle-man to an ftp. Your app needs to be secure no matter
> what you do.
>
> On Jun 12, 4:09 pm, wowfka wrote:
>
> > Hello,
>
> > Have question regarding file security. I am thinking to create e-shop
> > where you can buy some files.
> >
not really that unsafe to use
php as a middle-man to an ftp. Your app needs to be secure no matter
what you do.
On Jun 12, 4:09 pm, wowfka wrote:
> Hello,
>
> Have question regarding file security. I am thinking to create e-shop
> where you can buy some files.
> Would it be se
Hello,
Have question regarding file security. I am thinking to create e-shop
where you can buy some files.
Would it be secure if i create dedicated ftp server, allow access to
it only from e-shop (IP). Users cant directly access ftp, i have
written ftp client with php, which downloads, sends
Each time you make an ajax request you invalidate the existing
security token. To use SecurityComponent and Ajax you would have to
send the latest token with each form (and make sure you get a new one
back from the server on each ajax request). And that is what in part
amounts to
False alarm on the Google ads. Turns out you can pretty much run any
kind of ad you want on your site via the query string. For example my
site is a web development blog but if I pass a querystring like this:
http://code621.com/?cars=toyota
Car related ads show up. I always thought it was more b
You should post a trac ticket of this anyways for the team to see.
https://trac.cakephp.org/
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups
I've been doing some more research on this. First off, you should
probably make sure that allow_url_fopen and allow_url_include are
disabled in both the php.ini file and the http.conf file in apache.
This will protect you from someone executing code that gets included
via a url.
In regard to the
fades out...updated selections fade in the users profile.
Dave
-Original Message-
From: Martin Westin [mailto:martin.westin...@gmail.com]
Sent: June-03-09 9:09 AM
To: CakePHP
Subject: Re: Security Component and AJAX
Hi, I'm just buttin in with a quick question. Something for you to check
Two different sets of data..
First is with Security component added in app_controller
When I debug
debug($this->data); right before the save
$this->User->save($this->data, true,
array_keys($this->User->$join_table->schema()))
Array
(
[_Token] => Array
Hi, I'm just buttin in with a quick question. Something for you to
check.
There is no other ajax request after the page loads and before the
form is posted? If so then this will also cause problems for
SecurityComponent since the token will be old.
/Martin
On Jun 3, 7:20 am, Miles J wrote:
> A
At /joesmith/update/systems/, if you can debug the data you should be
able to save it. What exactly happens, a white page?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send e
...@gmail.com]
Sent: June-03-09 1:37 AM
To: CakePHP
Subject: Re: Security Component and AJAX
Actually nvm I think I read it wrong.
Whats the content passed during the ajax request (find it with Firebug).
--~--~-~--~~~---~--~~
You received this message because you are
Actually nvm I think I read it wrong.
Whats the content passed during the ajax request (find it with
Firebug).
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cak
$model_table,
array('multiple'=>'checkbox',
'label'=>false));
?>
end('Submit');?>
Just a bunch of check boxes.
Dave
-Original Message-
From: Miles J [mailto:m
If you are doing it that way, theres no possible way for your data to
show up in $this->data. Your ajax fields need to be wrapped in data[],
else it should show up in $this->params['form'].
--~--~-~--~~~---~--~~
You received this message because you are subscribed t
7;,
//success: function()
{$(this).fadeOut("slow")}
});
return false; // <-- important!
});
});
-Original Message-
From: Miles J [mailto:mileswjohn...@gmail.com]
Sent: June-03-09 12:53 AM
To: CakeP
Can I see your js ajax code.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsu
Nope...still same thing. I will just secure the form myself and add security
to the controllers that need them individually for now.
Thanks again for your insight and fast response.
Dave
-Original Message-
From: brian [mailto:bally.z...@gmail.com]
Sent: June-02-09 11:28 PM
To: cake
7;action'] == 'update_systems')
> {
> $this->Security->validatePost = false;
> }
> }
As it's AJAX requests that are the problem, I'd do this instead:
function beforeFilter()
{
parent::beforeFilter();
if ($this->
My Ajax functions are in different controllers but I added
function beforeFilter()
{
parent::beforeFilter();
if ($this->params['action'] == 'update_systems')
{
$this->Security->validatePost = false;
Security component does not work in conjunction with Ajax.
If all your ajax requests are in a controller called Ajax, simply
place this in the beforeFilter().
/**
* Executed before each action
*/
function beforeFilter() {
parent::beforeFilter();
// Turn debug off for ajax calls
I been trying all day to get a form to submit Ajax and nothing. I removed
the security component and it worked perfectly. I have not modified the form
in any way but when I add the security component it never saves the data.
The form is submitted Ajax. Is there something i am missing?
Form
Pretty sure this was fixed in 1.2.1. Check the group stickies.
-Mark
On Jun 2, 4:49 am, Marc wrote:
> Hi all,
>
> I was wondering if anyone had come across the issues discussed on this
> blog:
>
> http://rajeshanbiah.blogspot.com/2008/12/cakephp-security-issue-even-...
Hi all,
I was wondering if anyone had come across the issues discussed on this
blog:
http://rajeshanbiah.blogspot.com/2008/12/cakephp-security-issue-even-in.html
I happened to stumble onto the post, and was wondering what these
issues were.
Thanks
iew/75/Saving-Your-Data
>
> The code provided in the tutorial is only to get you to start coding
> as fast as possible, and then build off that.
>
> On May 4, 10:35 am, "AzGhanv/." wrote:
>
> > I was checking tihs tutorial
> > ...http://book.cakephp.org/view/326
Miles,Many thanks for your help! I fix it with your help.
Change
[code]
create('User', array('action'=>'signup')); ?>
//
[/code]
to
[code]
create('User', array('action'=>'signup')); ?>
//
end();?>
[/code]
On
The security component will blackhole (white page) if the form is
incorrect or has been altered by a bot.
All your form inputs MUST be created with $form->input().
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Gro
Is there a cake developer can give me a reply? Thanks in advance.
On Sun, May 24, 2009 at 5:09 PM, Joshua wrote:
> Hi All,
> The Security component was enabled in UserController of my app.There
> is a sing up page. Every time when I click continue button , there
> will be a blan
Hi All,
The Security component was enabled in UserController of my app.There
is a sing up page. Every time when I click continue button , there
will be a blank page shown. But if I disable the Security component in
my user controller, it will work fine. I have no idea of what's wrong.
Can so
Hi All, The Security component was enabled in UserController of my app.There
is a sing up page. Every time when I click continue button , there will be a
blank page shown. But if I disable the Security component in my user
controller, it will work fine. I have no idea of what's wrong. Can so
If you're not modifying form fields with javascript, AJAX form
submissions should have no impact on the use of the Security component
and it's ability to prevent CSRF attacks.
-j.
On May 20, 11:22 pm, "Dave Maharaj :: WidePixels.com"
wrote:
> I am trying to break my app
eady around that can help. Most of
my requests are AJAX so for pages with forms the Security component is no
good for me.
Ideas? Suggestions?
Thanks,
Dave
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"Ca
I want to enable my users to upload customized versions of the index/
view templates.
Is there a way I can restrict them to use only PHP variables and
object methods?
I'm asking, because if a user uploads a customized template (.ctp) I
don't want it to include malicious code (e.g. listing direct
26/The-Cake-Blog-Tutorial
>
> Here I see a big security flaw ... and I think this practice is used
> throughout the framework.
>
> # function add()
> # {
> # if (!empty($this->data))
> # {
> # if ($this->Post->save($this->data))
> # {
> # $this->flash
I was checking tihs tutorial ...
http://book.cakephp.org/view/326/The-Cake-Blog-Tutorial
Here I see a big security flaw ... and I think this practice is used
throughout the framework.
# function add()
# {
# if (!empty($this->data))
# {
# if ($this->Post->save($this->data))
# {
#
I might be mistaken, but I'm using the Security component not the Auth
component. I believe it's two different things. My problem is with
the Security component not blackholing the request when I try to
maliciously modify the form.
On May 1, 3:43 pm, "Benedikt R." wrote
Did you try this?:
$this->Auth->deny('*');
$this->Auth->allow('index', 'view');
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsub
parent::beforeFilter();
>
> Best regards
>
> On 1 Mai, 21:02, Stinkbug wrote:
>
> > I usually use the security components requireAuth to make sure that
> > hidden field values haven't been changed when the form is submitted
> > back to the server. This usual
Try to remove
parent::beforeFilter();
Best regards
On 1 Mai, 21:02, Stinkbug wrote:
> I usually use the security components requireAuth to make sure that
> hidden field values haven't been changed when the form is submitted
> back to the server. This usua
I usually use the security components requireAuth to make sure that
hidden field values haven't been changed when the form is submitted
back to the server. This usually works fine. However, I noticed it
doesn't seem to matter on my admin_add and admin_edit actions. Is
there som
If your using any javascript in your form, the security component will
always blackhole. You will need to put this in the beforeFilter().
$this->Security->validatePost = false;
But that will disable it for all actions, if you only want one:
if ($this->params['action'] =
I haven't used FCK in some time and don't remember the details, but
it's possible that it's adding a new form element along with all of
the other page elements it creates.This would cause Security to
blackhole your submission. You could check for this by disabling
Securit
Anyone see (or think of) anything that might be causing my issue?
Cheers,
Toby
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsub
Thanks for getting back to me Miles!
They do indeed blackhole (which sends the client a 404). There is one
'odd' field on my form ('text') below, which I'm showing using
FCKEditor. I tried your suggestion, and I also tried removing it
completely, but I still get the same issue. Can you see anythi
Do you mean they blackhole?
If you are adding fields manually, that arent created by $form->input
(), it will blackhole.
To fix this, place the following code in your beforeFilter(). You
would add each field you created manually as an argument.
$this->Security->disabledFields = arra
Hi all,
I added the Security component to my controller, which I thought
would be enough to add basic form authentication. However, my
admin_edit/admin_add actions both now fail (404).
I have tried adding various combinations of requirePost and
requireAuth to my beforeFilter (applied to
his->Post->deleteAll(array(
> 'Post.id' => $id,
> 'Post.author_id'=>$auth_user_id
> ),true,true);
>
> This will ensure that a user can only delete their own posts... ajax
> or plain request does not matter. SecurityComponent can not take c
;
This will ensure that a user can only delete their own posts... ajax
or plain request does not matter. SecurityComponent can not take care
of all your security even without ajax and deleting with conditions is
a good way to limit the possible damage.
On Apr 21, 6:04 am, "Dave Maharaj
I have just been messing around with my app and changing values in Ajax
links with Firebug to see what happens...sure enough I can be logged in as
user 1 and thru an Ajax form delete a post by User 2. Been reading about the
Security Component but seems from what I have found is that it does not
Hi!
I want to use Session in the frontend with SecurityLevel 'low'
and Session in the backend with SecurityLevel 'high'.
How can I do that?
thx
Aurelius
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"
I found this, Im assuming it will bypass these fields so it wont
blackhole.
$this->Security->disabledFields = array('field1', 'field2');
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
&
Later calls to shuffle() or other functions which do not use the
mt_srand() seed then return the same predictable results time and time
again.
Shouldn't the seed be set to a new seed at the end of the function
before the return? This behavior is in the latest version of CakePHP
and has been in fo
t use $
> ('UserUsername').value = '...' if you're using Prototype.
>
> Remember when using the security component you must use the form
> helper for all of your forms, most of the time this isn't a problem
> because you can specify all kinds of information a
UserUsername, you could just use $
('UserUsername').value = '...' if you're using Prototype.
Remember when using the security component you must use the form
helper for all of your forms, most of the time this isn't a problem
because you can specify all kinds of informat
It seems even if I use form helper, I still have the same problem.
https://trac.cakephp.org/ticket/6254
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@g
I even tried making the hidden field visible, and wrapping it in a div
that is display: none, but it still blackholes. Ill see if I can find
a work around.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" gro
On Sun, Mar 29, 2009 at 5:23 PM, Miles J wrote:
>
> So I have the Security Component enabled on my application. The
> component works fine on nearly all forms EXCEPT forms where I have a
> hidden input (created by form helper), or where I have created an
> input without
So I have the Security Component enabled on my application. The
component works fine on nearly all forms EXCEPT forms where I have a
hidden input (created by form helper), or where I have created an
input without the form helper.
Heres an example that I do without the form helper (multiple
Another thing you can do is only allow each user to maintain one
session. Keep a record of the session hash key in the database and
compare on each request. If a user logs in from a different machine
they will get a new session hash and invalidate the old session hash.
This gets around the locko
Right on..
Thanks,
Will give that a try.
Dave
-Original Message-
From: brian [mailto:bally.z...@gmail.com]
Sent: March-26-09 8:12 PM
To: cake-php@googlegroups.com
Subject: Re: Login Security
That'd be vulnerable to locking people out because the last time they logged
in they d
That'd be vulnerable to locking people out because the last time they
logged in they didn't specifically log out.
I don't see anything in the API to do this but, if you could pass a
session ID to see if it was active, you could record the session_id
along with the user_id in a table. So, when som
Just a general question.
Can I restrict a user to only allow the user to be logged in from one
location...sounds stupid but some people share acct info with friends /
family so this would restrict a user from logging in only once.
So for example on login update a field in the user table LOGGEDI
I had similar problem.
Do You create hidden field in javascript? It is not permitted with the
security component.
Sc checks if form has the same fields it has on the server side...
rt
On 22 Mar, 11:34, Xavier Orduna wrote:
> Hi All,
>
> First of all, congratulations for you
naged. But when I activate the Security component,
obviously the hidden field is modified and I get into a "black
hole" (this white screen).
There's any way to get the Security component that my particular
hidden field is completely innovensive?
Or it is more safer to use a regular in
Hey Everyone!
I am struggling to write a file upload here. I have the security
component enabled in my app_controller and as soon as i place a $form-
>file() in the form and submit it, i get taken to a white page, no
errors, and only a list of queries if i have them enabled.
It is much l
Hi!
I have a model Users which has Many Blogs which hasMany Entries.
When I'm now in the Users edit function, I can also save Blog changes,
so here's my question about Security.
Does CakePHP automaticly checks if the Blog belongs to User or could
I save any Blog changes through my
It also seems any post I make normally just goes to a white page. This
security component is quite confusing.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send ema
Thanks that worked. But now im trying to blackhole a non ajax request,
and this doesnt seem to work either.
if (!$this->RequestHandler->isAjax()) {
$this->Security->blackHole($this, 'You are not authorized to process
this request!');
}
How exactly can I tell if the blac
Looking at the Security component source, you need to override the
validatePost value in SecurityComponent. The following is untested code,
but I think it should work.
function beforeFilter() {
if ($this->action == 'your_action') {
$this->Security->v
When I add the Security component, all my ajax requests fail. They
never finish or return data. I am using jQuery and not the built in
ajax.
What do I have to do to allow this to work? The manual for Security is
a bit vague.
--~--~-~--~~~---~--~~
You received this
Hello
do cakePHP on scaffolding use Formhelper? my forms are generated via
scaffolding...
Ajax is not in use this moment...
Here is my problem view
?php echo $form->create('User', array('controller'=>'users','action'
=> 'add'));?>
";
echo "Name";
echo $form->input('nam
SecurityComponent protects you from some hacking attempts.
If your posted form did not have the required security hashes it
protects you by emptying the data.
You can be treated as a hacker if for example:
- You wrote the form by hand without FormHelper.
- You have ajax on the same page.
/Martin
Hello together,
i want test what Security Component can do. So i added it
var $components = array('Security');
and in beforeFilter
function beforeFilter() {
parent::beforeFilter();
$this->Auth->allow('index','search');
// Security Component
Hi guys this is my first post here, and I've not been using Cake for
long.
I am writing some unit tests for the models a new application. For the
most part it works well, however in my User model I use the cake
security component to do some custom validation of a password
confirmation. W
ite, and in order
> to get it to work, I have to set Session.checkAgent to false. In the
> cake docs it says:
>
> 'When set to false, CakePHP sessions will not check to ensure the user
> agent does not change between requests.'
>
> Can someone explain why the user ag
xplain why the user agent changing is a security issue?
I'm having a hard time finding a clear answer, and I am not sure if I
want to disable the agent check in my app.
Thanks!
--~--~-~--~~~---~--~~
You received this message because you are subscribed to th
As far as I know the SecurityComponent checks for hidden fields.
But you could try it out using Firebug. ;-)
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-p
Hi!
I create forms with JS (because of AJAX) instead of normal HTML, so it
is it posible to use the really cool dataToken function as well?
So what I would need is the value of the data[_Token][key] and data
[_Token][fields]?
thx
Aurelius
--~--~-~--~~~---~--~~
You
anyone?
On 31 Jan., 11:52, Aurelius wrote:
> When I use the form-Helper and the security-component, do I have to
> check if the user changes the value of hidden fields (like id, and
> foreign keys like author_id) or do the security-component auto-check
> that through the data
avascript', 'Ajax');
On 1月17日, 上午6时14分, Gwoo wrote:
> After the release of 1.2 Final, we received a lot of attention. Some
> of this came in the form of a security concern. The issue could affect
> sites relying on the AuthComponent for user authentication, without
> t
When I use the form-Helper and the security-component, do I have to
check if the user changes the value of hidden fields (like id, and
foreign keys like author_id) or do the security-component auto-check
that through the data[_Token][key]?
thx
Aurelius
ake <-- my cake directory
\wamp\www\blog <-- my app directory (1)
\wamp\www\bakingtest <-- my app directory (2)
Now for my question. After doing this I thought to myself, if this
were a production environment, would there be any security
vulnerabilities by having my cake directory in the www
There is a very easy way to exploit this. I wrote about it here:
http://www.pseudocoder.com/archives/2009/01/22/cakephp-digest-6/
-Matt
http://www.pseudocoder.com
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"Cak
m, Gwoo wrote:
>
> > > After the release of 1.2 Final, we received a lot of attention. Some
> > > of this came in the form of a security concern. The issue could affect
> > > sites relying on the AuthComponent for user authentication, without
> > > the
do not have the
> option of Firefox at work. Only IE7.
>
> On Jan 16, 4:14 pm, Gwoo wrote:
>
> > After the release of 1.2 Final, we received a lot of attention. Some
> > of this came in the form of a security concern. The issue could affect
> > sites relying on the Auth
That's a bit broad question, don't you think?
Did you go through the manual?
http://book.cakephp.org/
Did you use the other manual?
http://www.google.com/search?q=cakephp+acl+auth
On Jan 20, 10:46 pm, Delirium tremens wrote:
> How do they relate to each other?
--~--~-~--~~---
How do they relate to each other?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php
done
something wrong it would generate .. where id = "all" - which would do
nothing.
If you mean more generally how to secure your actions - that's auth +
not doing anything via GET requests (i.e. protecting yourself from
CSRF). Simply by using the security component and requirePo
You could just do something like:
function delete($id=null) {
if(is_numeric($id)) {
$this->Post->del($id);
// etc.
}
}
On Jan 19, 5:29 pm, Delirium tremens wrote:
> http://localhost/CakePHP/cakeBlog/posts/delete/1
>
> 1 can be anything
>
401 - 500 of 736 matches
Mail list logo