| # |
Jun 30th 2019, 10:28 |
 ra7bi |
so you should be very carefully |
| # |
Jun 30th 2019, 10:28 |
ra7bi |
there is no traditional way , if you prevent `@eval($_POST['value']);` i would use `@eval(base64_decode(base64_decode($_POST['value'])));` |
| # |
Jun 30th 2019, 10:25 |
challgren |
What exactly are you evaling and expecting? |
| # |
Jun 30th 2019, 10:24 |
wgon0001 |
@ra7bi That’s what I want to prevent for attacker’s malware input, is there any functions that I can use in Cake or I have to write it in traditional PHP ways to detect and prevent it? |
| # |
Jun 30th 2019, 10:17 |
slackebot |
required though, you can use a fully qualifified name in the config and it will work just fine. |
| # |
Jun 30th 2019, 10:17 |
ndm |
@ra7bi You can put the file anywhere as long as it's autoloadable, CakePDF doesn't _enforce_ any conventions, but _uses_ the standard CakePHP ones in order to support short classnames (see for example https://book.cakephp.org/3.0/en/core-libraries/logging.html#logging-configuration). In order for the latter to work, you'd put it in `src/Pdf/Engine/`, and use a class/filename that ends with `Engine` (just like the built in ones do). It's not |
| # |
Jun 30th 2019, 09:39 |
challgren |
Ahh ok |
| # |
Jun 30th 2019, 09:38 |
ra7bi |
i preferred TCPDF , coz i know how to work with it much better and it support Arabic |
| # |
Jun 30th 2019, 09:38 |
challgren |
I know that engine seems much more complete in CakePdf |
| # |
Jun 30th 2019, 09:37 |
challgren |
Have you looked into wkHtmlToPdf |
| # |
Jun 30th 2019, 09:37 |
ra7bi |
Sure , thanks |
| # |
Jun 30th 2019, 09:37 |
challgren |
Honestly not sure, mess around and see what folder works maybe admad can help |
| # |
Jun 30th 2019, 09:36 |
ra7bi |
i dont want to touch the plugin folder |
| # |
Jun 30th 2019, 09:35 |
ra7bi |
is there any example where should i put the file of that engine ? |
| # |
Jun 30th 2019, 09:31 |
challgren |
Or extend TcpdfEngine |
| # |
Jun 30th 2019, 09:27 |
challgren |
You may have to write your own AbstractPdfEngine then |
| # |
Jun 30th 2019, 09:27 |
ra7bi |
` $this->viewBuilder()->setOptions([])` does not work |
| # |
Jun 30th 2019, 09:27 |
ra7bi |
i wana use ` $TCPDF->` object in my controller here is the original place `https://github.com/FriendsOfCake/CakePdf/blob/master/src/Pdf/Engine/TcpdfEngine.php` |
| # |
Jun 30th 2019, 09:24 |
challgren |
Only 2 people in this world use eval(), new programmers that don’t know anything about data sanitization, SQL injection bugs and security. Or those that want to push the limits of PHP. In this case I’m guessing its a new programmer. Because its not even using the CakePHP conventions of accessing the request object instead of the raw $_POST |
| # |
Jun 30th 2019, 09:22 |
ra7bi |
Yes , he need very deep filtering system but also he will be in risk |
| # |
Jun 30th 2019, 09:20 |
challgren |
You saw the code he posted right? He’s evaling unsanitized code. Major major security risk, phpMyAdmin, vBulletin have all had eval related security issues |
| # |
Jun 30th 2019, 09:18 |
ra7bi |
sometime he need eval in hook system but in cake already have plugin system |
| # |
Jun 30th 2019, 09:14 |
challgren |
“If eval() is the answer, you’re almost certainly asking the wrong question. -- Rasmus Lerdorf, BDFL of PHP” |
| # |
Jun 30th 2019, 09:12 |
challgren |
@ra7bi I believe you can use $this->viewBuilder()->setOptions([]) |
| # |
Jun 30th 2019, 09:11 |
challgren |
@wgon0001 are you nuts??? Eval is very very dangerous |
| # |
Jun 30th 2019, 08:51 |
ra7bi |
can i override CakePdf `Engine` `TcpdfEngine.php` configuration in my controller ? i need to set more values and more options to `Tcpd Engine` |
| # |
Jun 30th 2019, 08:49 |
ra7bi |
@wgon0001 Why not disable Eval function |
| # |
Jun 30th 2019, 07:44 |
savant |
Feel free to pm me |
| # |
Jun 30th 2019, 07:44 |
savant |
@chrisshick happy to discuss this (I run infra for cakephp and also have done so for a much larger e-commerce org and currently a heroku-like org) |
| # |
Jun 30th 2019, 04:50 |
wgon0001 |
Can I prevent the evil code from ‘Chinese chopper’ such as `<?php @eval($_POST[value]);?>` by using validator applying the rules to inputs box? |
| # |
Jun 30th 2019, 04:47 |
bgrinter |
I've run through the v3 tutorial and also done a test upgrade of v2 to v3 for the sample blog app, but now looking to do it for real and looking for advice |
| # |
Jun 30th 2019, 04:46 |
bgrinter |
Do I install using composer in a new directory and copy existing controller / model / views over? Do I set up to use composer on v2 first and update instead? |
| # |
Jun 30th 2019, 04:45 |
bgrinter |
I have a CakePHP 2.x app that I'm looking to update to v3. the v2 app doesn't use composer so I'm wondering the best / correct path to take. |
| # |
Jun 30th 2019, 03:00 |
challgren |
CakePHP 4.0.0-beta1 released! https://github.com/cakephp/cakephp/releases/tag/4.0.0-beta1 |
| # |
Jun 30th 2019, 02:42 |
chrisshick |
@savant |
| # |
Jun 30th 2019, 02:36 |
chrisshick |
Now I’m curious, why do you think that? |
| # |
Jun 30th 2019, 02:35 |
savant |
Most anything else in the deployment space is going the wrong way imo |
| # |
Jun 30th 2019, 02:35 |
savant |
Use Kubernetes or something similar @chrisshick |
| # |
Jun 30th 2019, 01:30 |
slackebot |
changes the symlink accordingly. |
| # |
Jun 30th 2019, 01:30 |
chrisshick |
Hosting wise: i am currently using a private cloud provider. Security wise they have everything locked down pretty hardcore. I would like to avoid having to make firewall changes and make ssh accounts. I was envisioning a master server that holds all the builds. An api that the agents use to pull the latest build version. If it is different then it gets the build via the api, places it in the folder labeled for that version, and then |
| # |
Jun 30th 2019, 01:25 |
chrisshick |
@savant I mean it to be a little more secure due to the nature of opening firewall ports and setting up ssh accounts. Albeit those concerns can be addressed pretty simply The scalability concern I feel is well addressed with puppet for the nodes. |