Thank you all. I just think that a tutorial should exists on how to create sortable columns like the way it is in the backend. Same thing for the use of filters. These are common functionnalities that i want to use for the frontend. I thought it would be simple to implement but not. I don't want to use javascript because the frontend is likely to be accessed by mobile phones.
And for me, security problems are the responsability of all symfony users. But if i use a framework it is mainly because i want to focus my efforts on "business things" (business class) not on security issues. On 6 mar, 20:13, Gareth McCumskey <gmccums...@gmail.com> wrote: > I'm afraid not. The entire point of passing GET and POST variables > into the sfWebRequest object is to allow for cleaning of potentially > mailicious code. You say hoiw would it know? How would you know? How > would you code it remove potentially malicious content? If the > sfWebRequest object did nothing more than just hold a carbon copy of > parameters passed, we might as well not bother and just directly > access $_GET and $_POST! > > As for the security fix you mentioned, it is true that was a problem > and that was because one small aspect of the existing cleaning > mechanisms in symfony was overlooked. If the sfWebRequest object did > NOT clean up the GET and/or POST parameters, why did the symfony core > team fix it? If it wasn't supposed to clean the parameters there > shouldn't have been anything to fix! > > On Sat, Mar 6, 2010 at 12:45 PM, Daniel Lohse > > > > <annismcken...@googlemail.com> wrote: > > That's incorrect, Gareth. The security fix for symfony 1.4.3 just last week > > was on the *exact* same lines of code because you could inject SQL in the > > Doctrine admin generator. > > > How would symfony guess what you want to remove (clean) or not? :) > > > Daniel > > > On 06.03.2010, at 08:10, Gareth McCumskey wrote: > > >> Firstly, symfony does that for you ;). Secondly it was just a quick > >> example to get him on the right road. I didn't have time to sit and > >> show a fully worked, real world example. > > >> Jsut to reiterate, symfony already checks what parameters are passed > >> through GET and POST for you for SQL injection and cleans them. Try it > >> yourself if you don't believe me. Its one of the great benefits of > >> using a framework. > > >> On Fri, Mar 5, 2010 at 8:12 PM, Augusto Flavio <afla...@gmail.com> wrote: > >>> Hi Gareth, > > >>> the method that you show us have a security problem: inject sql. You need > >>> to > >>> check what kind of parameter the user is sending. > > >>> if (!in_array($parameter, array('asc', 'desc'))) { > >>> //do something > >>> } else { > >>> //execute the query > >>> } > > >>> bye > > >>> Augusto Morais > > >>> -- > >>> If you want to report a vulnerability issue on symfony, please send it to > >>> security at symfony-project.com > > >>> You received this message because you are subscribed to the Google > >>> Groups "symfony users" group. > >>> To post to this group, send email to symfony-users@googlegroups.com > >>> To unsubscribe from this group, send email to > >>> symfony-users+unsubscr...@googlegroups.com > >>> For more options, visit this group at > >>>http://groups.google.com/group/symfony-users?hl=en > > >> -- > >> Gareth McCumskey > >>http://garethmccumskey.blogspot.com > >> twitter: @garethmcc > > >> -- > >> If you want to report a vulnerability issue on symfony, please send it to > >> security at symfony-project.com > > >> You received this message because you are subscribed to the Google > >> Groups "symfony users" group. > >> To post to this group, send email to symfony-users@googlegroups.com > >> To unsubscribe from this group, send email to > >> symfony-users+unsubscr...@googlegroups.com > >> For more options, visit this group at > >>http://groups.google.com/group/symfony-users?hl=en > > > -- > > If you want to report a vulnerability issue on symfony, please send it to > > security at symfony-project.com > > > You received this message because you are subscribed to the Google > > Groups "symfony users" group. > > To post to this group, send email to symfony-users@googlegroups.com > > To unsubscribe from this group, send email to > > symfony-users+unsubscr...@googlegroups.com > > For more options, visit this group at > >http://groups.google.com/group/symfony-users?hl=en > > -- > Gareth McCumskeyhttp://garethmccumskey.blogspot.com > twitter: @garethmcc -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to symfony-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en