if u sanitize string it's the same shit as if u slug it...so u in link pass just id (slug) and if slug exists in database, then ok, if not, then won't be deleted... nothing can be error.... -- Tilen Majerle http://majerle.eu
2010/12/11 Dave Maharaj <m...@davemaharaj.com> > No no you do not understand what I am asking. > > > > Site/page/$foo > > > > $foo can be 1 hundred million things 1 being something correct everything > else is wrong so a user can put in &something=this&that=somethingelse. I am > asking because that get pumped right into cake is there anything you should > do in general (not inflector::slug) to make sure its safe to use since you > cant trust everything coming in. Sure 99% of users will not mess with URLs > but that 1 % who decides to change and mess with things. > > > > Should you sanitize $foo so its only [az-09-] do you need to? And no not > because its a slug but because its safer if you took the & = out of all the > url if you know it should not be there. I am asking in general not in a case > specifi if it’s a slug if not forget I even used that word. Think of any url > on your site and think of a evil user typing in something they should not. > Now what would you do to protect the site from what they wrote. That’s what > I am asking. Do you need to check the data in the url (and I do not mean > check if it the owner) before you send it to delete / save/ update/ redirect > anything. > > > > Having the site do something or attempt to do something by messing with the > url. > > > > Does that make sense or am I just not clear? > > > > > > > > *From:* Tilen Majerle [mailto:tilen.maje...@gmail.com] > *Sent:* December-11-10 2:55 PM > > *To:* cake-php@googlegroups.com > *Subject:* Re: Passing Variable to delete > > > > with Inflector::slug($id) i think that will be ok > -- > Tilen Majerle > > http://majerle.eu > > > > 2010/12/11 Dave Maharaj <m...@davemaharaj.com> > > Sorry…. > > > > Not what I was trying to ask. > > Not the if owner delete part of the action…just the passing of variables > thru url…the actual variable. Cake spits out code link/delete/this_slug what > could a user change the “this_slug” variable too that could be harful. What > should you check /clean / for the variable its self. I only used the delete > as a general example so in any case anytime a variable is passed directly to > the controller what should you do if anything to make sure its no code > capable of damage / injection / disruption > > > > Dave > > > > *From:* Tilen Majerle [mailto:tilen.maje...@gmail.com] > *Sent:* December-11-10 12:08 PM > *To:* cake-php@googlegroups.com > *Subject:* Re: Passing Variable to delete > > > > in ur case, i will first check, if given id is id for record from some > user, and if is, then delete it, otherwise don't delete it... > -- > Tilen Majerle > > http://majerle.eu > > > > 2010/12/11 Dave Maharaj <m...@davemaharaj.com> > > When passing an id / slug thru a url for delete is there any security > precautions to add? > > > > Example > > > > Function delete ($id) { > > > > $this->Model->deleteAll(array(Model.id => $id, Model.owner => > $this->Auth->user(‘id’))); > > > > } > > > > So I pretty much always use deleteAll so its got multiple values of > checking rightful owner / permission to delete but I’m more curious about > the passing of the actual $id since anyone can pass anything they want as an > $id if they want to get smart and mess with your site. So what should you > do? Any added precautions? Sanitize:: the slug / id? > > > > Thanks, > > Dave > > > > > > Check out the new CakePHP Questions site http://cakeqs.org and help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to cake-php@googlegroups.com > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.com<cake-php%2bunsubscr...@googlegroups.com>For > more options, visit this group at > http://groups.google.com/group/cake-php?hl=en > > > > Check out the new CakePHP Questions site http://cakeqs.org and help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to cake-php@googlegroups.com > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.com<cake-php%2bunsubscr...@googlegroups.com>For > more options, visit this group at > http://groups.google.com/group/cake-php?hl=en > > Check out the new CakePHP Questions site http://cakeqs.org and help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to cake-php@googlegroups.com > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.com<cake-php%2bunsubscr...@googlegroups.com>For > more options, visit this group at > http://groups.google.com/group/cake-php?hl=en > > > > Check out the new CakePHP Questions site http://cakeqs.org and help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to cake-php@googlegroups.com > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.com<cake-php%2bunsubscr...@googlegroups.com>For > more options, visit this group at > http://groups.google.com/group/cake-php?hl=en > > Check out the new CakePHP Questions site http://cakeqs.org and help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to cake-php@googlegroups.com > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.com<cake-php%2bunsubscr...@googlegroups.com>For > more options, visit this group at > http://groups.google.com/group/cake-php?hl=en > Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
