# |
Jun 30th 2019, 12:20 |
ndm |
@st.steinkuehler A custom finder maybe. Really depends on at which point the data you want to set is available, and under which circumstances it has to be set. |
# |
Jun 30th 2019, 11:38 |
st.steinkuehler |
Is there a simpler, more direct way to change a field for the logged in user, like this? ``` $userData = $this->Authentication->getIdentity()->getOriginalData(); $userData['assignnewpwd'] = false; $updatedIdentity = new Identity($userData); $this->Authentication->setIdentity($updatedIdentity); ``` |
# |
Jun 30th 2019, 11:35 |
challgren |
Your entities and validation rules will prevent bad data from being inserted |
# |
Jun 30th 2019, 11:34 |
challgren |
Use the orm and request objects, never use $_POST with cake |
# |
Jun 30th 2019, 11:33 |
wgon0001 |
Thanks for help. I will try it out. |
# |
Jun 30th 2019, 11:23 |
challgren |
But simple way to prevent it from being inserted at all is to create a Custom Rule Object so you can reuse it. |
# |
Jun 30th 2019, 11:22 |
slackebot |
write the contents to a PHP file and execute it, or have it written to a place where an external attacker could execute it. |
# |
Jun 30th 2019, 11:22 |
ndm |
@wgon0001 Obfuscation via ROT13 or Base64, I haven't seen that in years. Generally you need to first properly assess a threat, just adding "security stuff" will most likely fail if you don't know how a possible attack works. As @challgren said, that code snippet alone is no threat. Ask yourself, how could someone exploit ROT13 obfuscated PHP that's embedded in a database record? Your application would have to un-ROT13 it, and either eval it, or |
# |
Jun 30th 2019, 11:16 |
challgren |
Plus if you did get `<?php @eval($_POST[value]);?>` inserted into your database. It wouldn’t run |
# |
Jun 30th 2019, 11:14 |
challgren |
And then if you wanted to you can write your own rule to look for that string https://book.cakephp.org/3.0/en/orm/validation.html#creating-custom-re-usable-rules |
# |
Jun 30th 2019, 11:11 |
challgren |
https://book.cakephp.org/3.0/en/orm/saving-data.html#merging-request-data-into-entities |
# |
Jun 30th 2019, 11:11 |
challgren |
https://book.cakephp.org/3.0/en/orm/saving-data.html#converting-request-data-into-entities |
# |
Jun 30th 2019, 11:04 |
challgren |
https://book.cakephp.org/3.0/en/orm/query-builder.html#sql-injection-prevention |
# |
Jun 30th 2019, 10:59 |
challgren |
By using the `$_POST` you aren’t even allowing cake to sanitize the input |
# |
Jun 30th 2019, 10:57 |
challgren |
You know CakePHP has SLQ injection built in if used correctly |
# |
Jun 30th 2019, 10:55 |
wgon0001 |
There are many articles and some attacker’s write-ups saying how they doing this. And I tried on yesterday it did works on my build with Cake 3.7 |
# |
Jun 30th 2019, 10:53 |
slackebot |
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html |
# |
Jun 30th 2019, 10:53 |
wgon0001 |
@challgren I am trying to prevent that statement been injected to database, common happens when user fill out register from. That link gives you an overview and analysis of how it could harm to php site. And now they are using such as ROT13 or base64 encrypted script to do the same things. And I am trying to build a input filter to prevent this. |
# |
Jun 30th 2019, 10:34 |
ra7bi |
@ndm Thanks will check it out |
# |
Jun 30th 2019, 10:31 |
challgren |
I'm not trying to be a dick or anything just trying to understand why you need to use eval |
# |
Jun 30th 2019, 10:30 |
challgren |
@wgon0001 what exactly are you trying to accomplish with the eval? Let's look at your use case from a architecture view |
# |
Jun 30th 2019, 10:29 |
ra7bi |
you can detect `eval` code but not prevent completely , the firewall can detect eval call but sometime can play around it |
# |
Jun 30th 2019, 10:28 |
wgon0001 |
Cheers, that’s what I looking for, I will try it out. |
# |
Jun 30th 2019, 10:28 |
ra7bi |
so you should be very carefully |
# |
Jun 30th 2019, 10:28 |
ra7bi |
there is no traditional way , if you prevent `@eval($_POST['value']);` i would use `@eval(base64_decode(base64_decode($_POST['value'])));` |
# |
Jun 30th 2019, 10:25 |
challgren |
What exactly are you evaling and expecting? |
# |
Jun 30th 2019, 10:24 |
wgon0001 |
@ra7bi That’s what I want to prevent for attacker’s malware input, is there any functions that I can use in Cake or I have to write it in traditional PHP ways to detect and prevent it? |
# |
Jun 30th 2019, 10:17 |
slackebot |
required though, you can use a fully qualifified name in the config and it will work just fine. |
# |
Jun 30th 2019, 10:17 |
ndm |
@ra7bi You can put the file anywhere as long as it's autoloadable, CakePDF doesn't _enforce_ any conventions, but _uses_ the standard CakePHP ones in order to support short classnames (see for example https://book.cakephp.org/3.0/en/core-libraries/logging.html#logging-configuration). In order for the latter to work, you'd put it in `src/Pdf/Engine/`, and use a class/filename that ends with `Engine` (just like the built in ones do). It's not |
# |
Jun 30th 2019, 09:39 |
challgren |
Ahh ok |
# |
Jun 30th 2019, 09:38 |
ra7bi |
i preferred TCPDF , coz i know how to work with it much better and it support Arabic |
# |
Jun 30th 2019, 09:38 |
challgren |
I know that engine seems much more complete in CakePdf |
# |
Jun 30th 2019, 09:37 |
challgren |
Have you looked into wkHtmlToPdf |
# |
Jun 30th 2019, 09:37 |
ra7bi |
Sure , thanks |
# |
Jun 30th 2019, 09:37 |
challgren |
Honestly not sure, mess around and see what folder works maybe admad can help |
# |
Jun 30th 2019, 09:36 |
ra7bi |
i dont want to touch the plugin folder |
# |
Jun 30th 2019, 09:35 |
ra7bi |
is there any example where should i put the file of that engine ? |
# |
Jun 30th 2019, 09:31 |
challgren |
Or extend TcpdfEngine |
# |
Jun 30th 2019, 09:27 |
challgren |
You may have to write your own AbstractPdfEngine then |
# |
Jun 30th 2019, 09:27 |
ra7bi |
` $this->viewBuilder()->setOptions([])` does not work |
# |
Jun 30th 2019, 09:27 |
ra7bi |
i wana use ` $TCPDF->` object in my controller here is the original place `https://github.com/FriendsOfCake/CakePdf/blob/master/src/Pdf/Engine/TcpdfEngine.php` |