Hi Daniel,
thanks for your reply about the injection SQL security fix in Doctrine admin
generator of symfony 1.4.3.
Bye.
Augusto Morais
2010/3/8 ziclo <lauren...@gmail.com>
> Thank you all. I just think that a tutorial should exists on how to
> create sortable columns like the way it is in the backend. Same thing
> for the use of filters. These are common functionnalities that i want
> to use for the frontend.
> I thought it would be simple to implement but not. I don't want to use
> javascript because the frontend is likely to be accessed by mobile
> phones.
>
> And for me, security problems are the responsability of all symfony
> users. But if i use a framework it is mainly because i want to focus
> my efforts on "business things" (business class) not on security
> issues.
>
> On 6 mar, 20:13, Gareth McCumskey <gmccums...@gmail.com> wrote:
> > I'm afraid not. The entire point of passing GET and POST variables
> > into the sfWebRequest object is to allow for cleaning of potentially
> > mailicious code. You say hoiw would it know? How would you know? How
> > would you code it remove potentially malicious content? If the
> > sfWebRequest object did nothing more than just hold a carbon copy of
> > parameters passed, we might as well not bother and just directly
> > access $_GET and $_POST!
> >
> > As for the security fix you mentioned, it is true that was a problem
> > and that was because one small aspect of the existing cleaning
> > mechanisms in symfony was overlooked. If the sfWebRequest object did
> > NOT clean up the GET and/or POST parameters, why did the symfony core
> > team fix it? If it wasn't supposed to clean the parameters there
> > shouldn't have been anything to fix!
> >
> > On Sat, Mar 6, 2010 at 12:45 PM, Daniel Lohse
> >
> >
> >
> > <annismcken...@googlemail.com> wrote:
> > > That's incorrect, Gareth. The security fix for symfony 1.4.3 just last
> week was on the *exact* same lines of code because you could inject SQL in
> the Doctrine admin generator.
> >
> > > How would symfony guess what you want to remove (clean) or not? :)
> >
> > > Daniel
> >
> > > On 06.03.2010, at 08:10, Gareth McCumskey wrote:
> >
> > >> Firstly, symfony does that for you ;). Secondly it was just a quick
> > >> example to get him on the right road. I didn't have time to sit and
> > >> show a fully worked, real world example.
> >
> > >> Jsut to reiterate, symfony already checks what parameters are passed
> > >> through GET and POST for you for SQL injection and cleans them. Try it
> > >> yourself if you don't believe me. Its one of the great benefits of
> > >> using a framework.
> >
> > >> On Fri, Mar 5, 2010 at 8:12 PM, Augusto Flavio <afla...@gmail.com>
> wrote:
> > >>> Hi Gareth,
> >
> > >>> the method that you show us have a security problem: inject sql. You
> need to
> > >>> check what kind of parameter the user is sending.
> >
> > >>> if (!in_array($parameter, array('asc', 'desc'))) {
> > >>> //do something
> > >>> } else {
> > >>> //execute the query
> > >>> }
> >
> > >>> bye
> >
> > >>> Augusto Morais
> >
> > >>> --
> > >>> If you want to report a vulnerability issue on symfony, please send
> it to
> > >>> security at symfony-project.com
> >
> > >>> You received this message because you are subscribed to the Google
> > >>> Groups "symfony users" group.
> > >>> To post to this group, send email to symfony-users@googlegroups.com
> > >>> To unsubscribe from this group, send email to
> > >>> symfony-users+unsubscr...@googlegroups.com<symfony-users%2bunsubscr...@googlegroups.com>
> > >>> For more options, visit this group at
> > >>>http://groups.google.com/group/symfony-users?hl=en
> >
> > >> --
> > >> Gareth McCumskey
> > >>http://garethmccumskey.blogspot.com
> > >> twitter: @garethmcc
> >
> > >> --
> > >> If you want to report a vulnerability issue on symfony, please send it
> to security at symfony-project.com
> >
> > >> You received this message because you are subscribed to the Google
> > >> Groups "symfony users" group.
> > >> To post to this group, send email to symfony-users@googlegroups.com
> > >> To unsubscribe from this group, send email to
> > >> symfony-users+unsubscr...@googlegroups.com<symfony-users%2bunsubscr...@googlegroups.com>
> > >> For more options, visit this group at
> > >>http://groups.google.com/group/symfony-users?hl=en
> >
> > > --
> > > If you want to report a vulnerability issue on symfony, please send it
> to security at symfony-project.com
> >
> > > You received this message because you are subscribed to the Google
> > > Groups "symfony users" group.
> > > To post to this group, send email to symfony-users@googlegroups.com
> > > To unsubscribe from this group, send email to
> > > symfony-users+unsubscr...@googlegroups.com<symfony-users%2bunsubscr...@googlegroups.com>
> > > For more options, visit this group at
> > >http://groups.google.com/group/symfony-users?hl=en
> >
> > --
> > Gareth McCumskeyhttp://garethmccumskey.blogspot.com
> > twitter: @garethmcc
>
> --
> If you want to report a vulnerability issue on symfony, please send it to
> security at symfony-project.com
>
> You received this message because you are subscribed to the Google
> Groups "symfony users" group.
> To post to this group, send email to symfony-users@googlegroups.com
> To unsubscribe from this group, send email to
> symfony-users+unsubscr...@googlegroups.com<symfony-users%2bunsubscr...@googlegroups.com>
> For more options, visit this group at
> http://groups.google.com/group/symfony-users?hl=en
>
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
