# |
Oct 22nd 2019, 09:50 |
dev.cyrusjayson |
Guys, I accept parameters and directly put in my query builder so it is vulnerable in SQL Injection. is there a way to clean the $this->request->data in the middleware or appcontroller.php ? "$this->request->data['email']" 3.4.13 |
# |
Oct 22nd 2019, 09:07 |
jotpe |
Thank you :slightly_smiling_face: |
# |
Oct 22nd 2019, 09:06 |
jotpe |
ok |
# |
Oct 22nd 2019, 09:06 |
savant |
that’ll be more or less instant |
# |
Oct 22nd 2019, 09:06 |
savant |
import it into a temporary table and execute sql to do two table renames in a single statement |
# |
Oct 22nd 2019, 09:05 |
savant |
so ingest that data once a week or whatever |
# |
Oct 22nd 2019, 09:05 |
jotpe |
Yes, they're known in advance. But i don't want end up managing zip code data, if something changes |
# |
Oct 22nd 2019, 09:05 |
admad |
use a db table and update from time to time as required |
# |
Oct 22nd 2019, 09:04 |
admad |
ditto |
# |
Oct 22nd 2019, 09:04 |
savant |
if they are known in advance, i’d probably have them in a database so I can do a quick lookup |
# |
Oct 22nd 2019, 09:01 |
jotpe |
Off-Cake Question: Do you use a Lib or Service to resolve zip codes to cities (especially german postleitzahlen)? |
# |
Oct 22nd 2019, 08:33 |
admad |
*none |
# |
Oct 22nd 2019, 08:32 |
admad |
no besides 2.10 in 2.x series |
# |
Oct 22nd 2019, 08:31 |
tokam |
how about 2.1.1? |
# |
Oct 22nd 2019, 08:30 |
admad |
2.9 won't have any new bugfix release |
# |
Oct 22nd 2019, 08:30 |
admad |
okay, like i said upgrade to latest 2.10.x and if issue persists submit a bug report |
# |
Oct 22nd 2019, 08:30 |
tokam |
but this is not enough. |
# |
Oct 22nd 2019, 08:29 |
tokam |
I tries to do this validation with if ( (!isset($this->_values[$this->name][$firstName]) |
# |
Oct 22nd 2019, 08:29 |
tokam |
and be also backwards compatible |
# |
Oct 22nd 2019, 08:29 |
tokam |
and if I use an api that manages cookies, the API should do that. |
# |
Oct 22nd 2019, 08:29 |
tokam |
it comes from $_COOKIES |
# |
Oct 22nd 2019, 08:29 |
tokam |
no |
# |
Oct 22nd 2019, 08:28 |
admad |
you should validate user input |
# |
Oct 22nd 2019, 08:27 |
tokam |
$this->_values[$this->name][$firstName] |
# |
Oct 22nd 2019, 08:27 |
tokam |
Some user had this value in this variable |
# |
Oct 22nd 2019, 08:27 |
tokam |
string(64) " %'w/ Bo" x}%2 D @ B 2ӵ Mand [ y U0 W vh " |
# |
Oct 22nd 2019, 08:27 |
admad |
it's more likely the problem is in your app rather than core code, 2.x code is very mature. |
# |
Oct 22nd 2019, 08:26 |
admad |
FYI you just need a github account to be able to contribute |
# |
Oct 22nd 2019, 08:26 |
tokam |
I think the issue is that some weird value gets into the system after the upgrade. |
# |
Oct 22nd 2019, 08:26 |
admad |
that's more like it. Upgrade to latest 2.10.x and if you still have error then you can submit a bug report or fix. |
# |
Oct 22nd 2019, 08:26 |
tokam |
But this fixed just one of the cases. |
# |
Oct 22nd 2019, 08:23 |
tokam |
2.9.0 |
# |
Oct 22nd 2019, 08:23 |
tokam |
//////////////////////////////////////////////////////////////////////////////////////////////////// |
# |
Oct 22nd 2019, 08:10 |
admad |
tokam: i highly doubt you are using "0.2.9", what's the actual version? |
# |
Oct 22nd 2019, 07:55 |
tokam |
can you please confirm that this is the correct bugfix? If possible maybe also add me to contributors, unless this is way too much to ask? |
# |
Oct 22nd 2019, 07:55 |
tokam |
In CookieComponent.php |
# |
Oct 22nd 2019, 07:55 |
tokam |
if ( (!isset($this->_values[$this->name][$firstName]) || $this->_values[$this->name][$firstName] == '') andand $isMultiValue) { |
# |
Oct 22nd 2019, 07:55 |
tokam |
and replaced it by this one |
# |
Oct 22nd 2019, 07:55 |
tokam |
if |
# |
Oct 22nd 2019, 07:55 |
tokam |
f ( (!isset($this->_values[$this->name][$firstName]) ) andand $isMultiValue) { |
# |
Oct 22nd 2019, 07:55 |
tokam |
We changed this line ... |