# |
Jun 30th 2019, 10:59 |
challgren |
By using the `$_POST` you aren’t even allowing cake to sanitize the input |
# |
Jun 30th 2019, 10:57 |
challgren |
You know CakePHP has SLQ injection built in if used correctly |
# |
Jun 30th 2019, 10:55 |
wgon0001 |
There are many articles and some attacker’s write-ups saying how they doing this. And I tried on yesterday it did works on my build with Cake 3.7 |
# |
Jun 30th 2019, 10:53 |
slackebot |
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html |
# |
Jun 30th 2019, 10:53 |
wgon0001 |
@challgren I am trying to prevent that statement been injected to database, common happens when user fill out register from. That link gives you an overview and analysis of how it could harm to php site. And now they are using such as ROT13 or base64 encrypted script to do the same things. And I am trying to build a input filter to prevent this. |
# |
Jun 30th 2019, 10:34 |
ra7bi |
@ndm Thanks will check it out |
# |
Jun 30th 2019, 10:31 |
challgren |
I'm not trying to be a dick or anything just trying to understand why you need to use eval |
# |
Jun 30th 2019, 10:30 |
challgren |
@wgon0001 what exactly are you trying to accomplish with the eval? Let's look at your use case from a architecture view |
# |
Jun 30th 2019, 10:29 |
ra7bi |
you can detect `eval` code but not prevent completely , the firewall can detect eval call but sometime can play around it |
# |
Jun 30th 2019, 10:28 |
wgon0001 |
Cheers, that’s what I looking for, I will try it out. |
# |
Jun 30th 2019, 10:28 |
ra7bi |
so you should be very carefully |
# |
Jun 30th 2019, 10:28 |
ra7bi |
there is no traditional way , if you prevent `@eval($_POST['value']);` i would use `@eval(base64_decode(base64_decode($_POST['value'])));` |
# |
Jun 30th 2019, 10:25 |
challgren |
What exactly are you evaling and expecting? |
# |
Jun 30th 2019, 10:24 |
wgon0001 |
@ra7bi That’s what I want to prevent for attacker’s malware input, is there any functions that I can use in Cake or I have to write it in traditional PHP ways to detect and prevent it? |
# |
Jun 30th 2019, 10:17 |
slackebot |
required though, you can use a fully qualifified name in the config and it will work just fine. |
# |
Jun 30th 2019, 10:17 |
ndm |
@ra7bi You can put the file anywhere as long as it's autoloadable, CakePDF doesn't _enforce_ any conventions, but _uses_ the standard CakePHP ones in order to support short classnames (see for example https://book.cakephp.org/3.0/en/core-libraries/logging.html#logging-configuration). In order for the latter to work, you'd put it in `src/Pdf/Engine/`, and use a class/filename that ends with `Engine` (just like the built in ones do). It's not |
# |
Jun 30th 2019, 09:39 |
challgren |
Ahh ok |
# |
Jun 30th 2019, 09:38 |
ra7bi |
i preferred TCPDF , coz i know how to work with it much better and it support Arabic |
# |
Jun 30th 2019, 09:38 |
challgren |
I know that engine seems much more complete in CakePdf |
# |
Jun 30th 2019, 09:37 |
challgren |
Have you looked into wkHtmlToPdf |
# |
Jun 30th 2019, 09:37 |
ra7bi |
Sure , thanks |
# |
Jun 30th 2019, 09:37 |
challgren |
Honestly not sure, mess around and see what folder works maybe admad can help |
# |
Jun 30th 2019, 09:36 |
ra7bi |
i dont want to touch the plugin folder |
# |
Jun 30th 2019, 09:35 |
ra7bi |
is there any example where should i put the file of that engine ? |
# |
Jun 30th 2019, 09:31 |
challgren |
Or extend TcpdfEngine |
# |
Jun 30th 2019, 09:27 |
challgren |
You may have to write your own AbstractPdfEngine then |
# |
Jun 30th 2019, 09:27 |
ra7bi |
` $this->viewBuilder()->setOptions([])` does not work |
# |
Jun 30th 2019, 09:27 |
ra7bi |
i wana use ` $TCPDF->` object in my controller here is the original place `https://github.com/FriendsOfCake/CakePdf/blob/master/src/Pdf/Engine/TcpdfEngine.php` |
# |
Jun 30th 2019, 09:24 |
challgren |
Only 2 people in this world use eval(), new programmers that don’t know anything about data sanitization, SQL injection bugs and security. Or those that want to push the limits of PHP. In this case I’m guessing its a new programmer. Because its not even using the CakePHP conventions of accessing the request object instead of the raw $_POST |
# |
Jun 30th 2019, 09:22 |
ra7bi |
Yes , he need very deep filtering system but also he will be in risk |
# |
Jun 30th 2019, 09:20 |
challgren |
You saw the code he posted right? He’s evaling unsanitized code. Major major security risk, phpMyAdmin, vBulletin have all had eval related security issues |
# |
Jun 30th 2019, 09:18 |
ra7bi |
sometime he need eval in hook system but in cake already have plugin system |
# |
Jun 30th 2019, 09:14 |
challgren |
“If eval() is the answer, you’re almost certainly asking the wrong question. -- Rasmus Lerdorf, BDFL of PHP” |
# |
Jun 30th 2019, 09:12 |
challgren |
@ra7bi I believe you can use $this->viewBuilder()->setOptions([]) |
# |
Jun 30th 2019, 09:11 |
challgren |
@wgon0001 are you nuts??? Eval is very very dangerous |
# |
Jun 30th 2019, 08:51 |
ra7bi |
can i override CakePdf `Engine` `TcpdfEngine.php` configuration in my controller ? i need to set more values and more options to `Tcpd Engine` |
# |
Jun 30th 2019, 08:49 |
ra7bi |
@wgon0001 Why not disable Eval function |
# |
Jun 30th 2019, 07:44 |
savant |
Feel free to pm me |
# |
Jun 30th 2019, 07:44 |
savant |
@chrisshick happy to discuss this (I run infra for cakephp and also have done so for a much larger e-commerce org and currently a heroku-like org) |
# |
Jun 30th 2019, 04:50 |
wgon0001 |
Can I prevent the evil code from ‘Chinese chopper’ such as `<?php @eval($_POST[value]);?>` by using validator applying the rules to inputs box? |
# |
Jun 30th 2019, 04:47 |
bgrinter |
I've run through the v3 tutorial and also done a test upgrade of v2 to v3 for the sample blog app, but now looking to do it for real and looking for advice |