On Dec 11, 2010, at 21:12, Dave Maharaj wrote:
> I have been taking the $id /$slug / $whatever_anyone_wants_to_call_it at
> face value and doing
>
> $data = $this->Model->some_function($id, $other, $var);
>
> if(!data){
>
> //see ya
>
> }
>
> if($data){
>
> //good stuff do what I need to do
>
> }
>
> But that's why I was wondering about simply taking whats given ($id) in the
> example and firing it off straight to the Model since the user could simply
> have changed it to anything. Sure it won't find anything but that's not the
> question im asking. Can it do anything is what I really want to know. I know
> very little about these security risks that's why im asking to see what the
> real deal is here.
>
> Can $id (any variable passed from URL) be manipulated into something that
> would delete the db? Add a million empty records? Pretty much do anything
> other than what its intended for. Thats the million dollar question im
> trying to get. Not talking about changing $id value 5 to 6 or converting it
> into a slug.
Well, I like the code I just posted, since it certainly can do no harm to
verify a parameter like an id is in the correct format, and it saves a hit to
the database if it's not in the correct format, so that's certainly a good
thing.
But to answer the question of whether there is any risk in passing arbitrary
values to the database layer, I guess we have to dive into the code and find
out.
I can't vouch for your "some_function" because I don't know what it does. The
models cake baked for me loaded the data using the Model->read() method.
Looking in cake/libs/model/model.php I see Model->read() just passes the id
unchanged to the Model->find() method, in the conditions array. This in turn
calls the data source's read() method. My data source is a MySQL database using
the mysqli adapter, whose read() method seems to be the shared read() method in
the cake/libs/model/datasources/dbo_source.php. There the code becomes too
complicated for me to feel like analyzing any further, so I'll switch to
testing.
I tried calling up the URL /images/edit/1'%20OR%201 on my app, disabling the
aforementioned code I had in place so that this value gets passed directly to
cake. In the SQL debug, I see proper escaping / quoting going on:
WHERE `Image`.`id` = '1\' OR 1'
So this seems fine to me; I don't see any SQL injection vulnerabilities here.
Of course, if you're generating any SQL fragments that get inserted directly
into the SQL statement, that might be a different matter. (Not sure, for
example, what happens when you're trying to find() things with your own WHERE
conditions.)
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
