# |
Oct 22nd 2019, 09:58 |
neon1024 |
You can still do a little sanitization by casting values and such though |
# |
Oct 22nd 2019, 09:58 |
neon1024 |
https://book.cakephp.org/3.0/en/orm/query-builder.html#sql-injection-prevention |
# |
Oct 22nd 2019, 09:57 |
neon1024 |
`$this->Examples->find()->where(['thing' => $this->getRequest()->getData('something')])` |
# |
Oct 22nd 2019, 09:57 |
neon1024 |
As long as they’re assigned as array values |
# |
Oct 22nd 2019, 09:57 |
neon1024 |
The ORM will sanitize things for you |
# |
Oct 22nd 2019, 09:55 |
dev.cyrusjayson |
it is an API |
# |
Oct 22nd 2019, 09:55 |
david |
when I validate an input, the Form helper add the "Form.errorClass" to the input. But if I validate a select multiple, it doesn't add de "Form.errorClass" to the select. I am looking at the templates (https://api.cakephp.org/3.8/source-class-Cake.View.Helper.FormHelper.html#79-171) but I don't know how to do that |
# |
Oct 22nd 2019, 09:54 |
dev.cyrusjayson |
I know it is not nice. |
# |
Oct 22nd 2019, 09:54 |
dev.cyrusjayson |
in cake 2 there is a module call sanitize and they removed it in 3. any alternative that I can do something like this $email = CleanerSample($this->request->data['email']) |
# |
Oct 22nd 2019, 09:53 |
alexdd55976 |
@dev.cyrusjayson you could iterate and clean things up or validate againt some madeup validation rules |
# |
Oct 22nd 2019, 09:50 |
dev.cyrusjayson |
Guys, I accept parameters and directly put in my query builder so it is vulnerable in SQL Injection. is there a way to clean the $this->request->data in the middleware or appcontroller.php ? "$this->request->data['email']" 3.4.13 |
# |
Oct 22nd 2019, 09:07 |
jotpe |
Thank you :slightly_smiling_face: |
# |
Oct 22nd 2019, 09:06 |
jotpe |
ok |
# |
Oct 22nd 2019, 09:06 |
savant |
that’ll be more or less instant |
# |
Oct 22nd 2019, 09:06 |
savant |
import it into a temporary table and execute sql to do two table renames in a single statement |
# |
Oct 22nd 2019, 09:05 |
savant |
so ingest that data once a week or whatever |
# |
Oct 22nd 2019, 09:05 |
jotpe |
Yes, they're known in advance. But i don't want end up managing zip code data, if something changes |
# |
Oct 22nd 2019, 09:05 |
admad |
use a db table and update from time to time as required |
# |
Oct 22nd 2019, 09:04 |
admad |
ditto |
# |
Oct 22nd 2019, 09:04 |
savant |
if they are known in advance, i’d probably have them in a database so I can do a quick lookup |
# |
Oct 22nd 2019, 09:01 |
jotpe |
Off-Cake Question: Do you use a Lib or Service to resolve zip codes to cities (especially german postleitzahlen)? |
# |
Oct 22nd 2019, 08:33 |
admad |
*none |
# |
Oct 22nd 2019, 08:32 |
admad |
no besides 2.10 in 2.x series |
# |
Oct 22nd 2019, 08:31 |
tokam |
how about 2.1.1? |
# |
Oct 22nd 2019, 08:30 |
admad |
2.9 won't have any new bugfix release |
# |
Oct 22nd 2019, 08:30 |
admad |
okay, like i said upgrade to latest 2.10.x and if issue persists submit a bug report |
# |
Oct 22nd 2019, 08:30 |
tokam |
but this is not enough. |
# |
Oct 22nd 2019, 08:29 |
tokam |
I tries to do this validation with if ( (!isset($this->_values[$this->name][$firstName]) |
# |
Oct 22nd 2019, 08:29 |
tokam |
and be also backwards compatible |
# |
Oct 22nd 2019, 08:29 |
tokam |
and if I use an api that manages cookies, the API should do that. |
# |
Oct 22nd 2019, 08:29 |
tokam |
it comes from $_COOKIES |
# |
Oct 22nd 2019, 08:29 |
tokam |
no |
# |
Oct 22nd 2019, 08:28 |
admad |
you should validate user input |
# |
Oct 22nd 2019, 08:27 |
tokam |
$this->_values[$this->name][$firstName] |
# |
Oct 22nd 2019, 08:27 |
tokam |
Some user had this value in this variable |
# |
Oct 22nd 2019, 08:27 |
tokam |
string(64) " %'w/ Bo" x}%2 D @ B 2ӵ Mand [ y U0 W vh " |
# |
Oct 22nd 2019, 08:27 |
admad |
it's more likely the problem is in your app rather than core code, 2.x code is very mature. |
# |
Oct 22nd 2019, 08:26 |
admad |
FYI you just need a github account to be able to contribute |
# |
Oct 22nd 2019, 08:26 |
tokam |
I think the issue is that some weird value gets into the system after the upgrade. |
# |
Oct 22nd 2019, 08:26 |
admad |
that's more like it. Upgrade to latest 2.10.x and if you still have error then you can submit a bug report or fix. |
# |
Oct 22nd 2019, 08:26 |
tokam |
But this fixed just one of the cases. |