It would be nice idea if this is pointed out in big red letters in the
blog tutorial and manual ;) As i think allot of users will be
overlooking on this.
On Oct 12, 2:58 pm, djiize <[EMAIL PROTECTED]> wrote:
> One best practice, specify which fields are to be
> saved:http://api.cakephp.org/1.2/c
One best practice, specify which fields are to be saved:
http://api.cakephp.org/1.2/class_model.html#ebe42ae387be89985b5a35dd428f5c81
The third argument of the Model->save() is an array "List of fields to
allow to be written"
and in your CREATE TABLE, add "DEFAULT 0" to "active" field.
On 12 oct,
AD7six: to be fair, the whitelist is not in the manual. It is in the
api though... I'm wondering how I missed that!
On Oct 12, 1:22 pm, AD7six <[EMAIL PROTECTED]> wrote:
> On Oct 12, 10:28 am, Sharkoon <[EMAIL PROTECTED]> wrote:
>
> > Well he's got a point.
>
> > When I have this:
> > $form->inpu
Well to be honest this is one point that is not as clearly pointed out
in the tutorials and manual as it should have been.
On Oct 12, 2:22 pm, AD7six <[EMAIL PROTECTED]> wrote:
> On Oct 12, 10:28 am, Sharkoon <[EMAIL PROTECTED]> wrote:
>
> > Well he's got a point.
>
> > When I have this:
> > $for
Well, sure - $this->User->save() will save any correct data in the
array. But the user doesn't have access to model functions, only
controller functions (actions). And in your controller action you
should always, always, always validate the data being transmitted.
This isn't cakephp-specific, it's
On Oct 12, 10:28 am, Sharkoon <[EMAIL PROTECTED]> wrote:
> Well he's got a point.
>
> When I have this:
> $form->input('User.email');
> $form->input('User.password');
>
> and put via firebug value="1">
>
> and then $this->User->save($this->data);
> It saves active as well!!!
>
> A huge security
Well he's got a point.
When I have this:
$form->input('User.email');
$form->input('User.password');
and put via firebug
and then $this->User->save($this->data);
It saves active as well!!!
A huge security risk!!
--~--~-~--~~~---~--~~
You received this message
The information is valuable to the attacker only if s/he has the
access to the database (read: there is a security hole in the application).
There may still be a way to get the field list from the table (eg. SHOW
CREATE TABLE for MySQL) once an attacker can execute own SQL statements on
the server
There's nothing that says you have to name your field with the model/
field method. If you're concerned about this give it a different
name, but then you will need to parse the $this->data array and
restructure it if you intend to use $this->model->save($this->data);
I doubt this is efficient, es
when the crackers have no access to database, they would be able to
access your information.
But if they found your db access, they will find out yours
information.
if you are aware of security things, you can use plain html with php
instead of form helper.
you can say instead of using $html->in
On Oct 10, 11:27 am, wralph <[EMAIL PROTECTED]> wrote:
> What your talking about is security through obfuscation and it never
> works against a persistent hacker. There is no security risk in
> publishing the DB tables and fields, the risk is in the strength of
> the passwords for connecting to th
What your talking about is security through obfuscation and it never
works against a persistent hacker. There is no security risk in
publishing the DB tables and fields, the risk is in the strength of
the passwords for connecting to the DB and the level of access given
to particular users - this h
I agree with you... Infact, I've been thinking about it from long
time. Its surely a security risk... Though it looks like we are just
exposing the database structure, but its still a confidential
information, which can take attacker to his aim
Cake might be secured enough, but consider some
On Oct 10, 4:19 pm, Comida411 <[EMAIL PROTECTED]> wrote:
> When the page is rendered if some one does a view source he can
> clearly see the table name and the coloum name.
>
> Is it not a security risk?
Arguably it gives an attacker more information - but it's no more of a
risk than the attacker
Assuming you have reasonable security in your database (strong
passwords with normal expiration periods, hard to guess user names,
updated db software), I don't know why you'd care about this.
Would it *really* be a big problem if you were forced to publish your
data model on your website? What d
I am a new bee to cake PHP and I have a concern on the way cake expses
the data model of the application in the view.Since we have to follow
a naming convention for cake to update the model automatically from
the view. I see there is a risk of exposing once's data model.
Example:
I have a user ta
16 matches
Mail list logo
