As long as you are using the Model API and not passing raw strings of SQL
to it then you should be safe
On Thursday, June 12, 2014 12:56:10 PM UTC+2, phpMagpie wrote:
>
> I personally do not think the site was the victim of an SQL Injection as I
> am not passing any raw queries into the system anywhere. The more
> realistic cause of the problem is I shared phpMyAdmin user details with the
> client and they accidentally deleted the table themselves, or the login
> details were made available to someone else who did this. If this was an
> injection attack, I would expect them to do more than remove one table from
> one database.
>
> I don't like to jump to conclusions though, so just wanted to know if my
> configuration has somehow opened up the possibility of SQL Injection.
>
> Thanks, Paul.
>
> On Thursday, 12 June 2014 11:36:00 UTC+1, José Lorenzo wrote:
>>
>> No, the security component does not prevent you against that. There most
>> be some place where you are passing raw input into a query.
>>
>> On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote:
>>>
>>> Hi,
>>>
>>> I've just launched a site for a client that had quite a big form in it
>>> that people were spending a long time trying to complete. Because some
>>> people were walking away form the form then coming back later and trying to
>>> submit their security tokens were expiring so the client asked me to
>>> disable security for that form.
>>>
>>> I did the following:
>>> if ($this->request->action == 'add') {
>>> $this->Security->validatePost = false;
>>> $this->Security->csrfCheck = false;
>>> }
>>>
>>> Fast forward to this evening and someone has managed to delete the users
>>> table from the database. Could disabling validatePost and csrfCheck have
>>> allowed someone to do SQL Inject a table drop?
>>>
>>> Thanks,
>>>
>>> Paul.
>>>
>>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
