| # |
Aug 21st 2009, 16:39 |
kiger |
well updateAll() clearly does, but doing an update through save() does too |
| # |
Aug 21st 2009, 16:39 |
kiger |
So I do $this->User->id = $userId |
| # |
Aug 21st 2009, 16:39 |
markstory |
so you're saying all update commands allow sql injection? |
| # |
Aug 21st 2009, 16:38 |
kiger |
I allow users to edit their account on my box |
| # |
Aug 21st 2009, 16:38 |
markstory |
ok |
| # |
Aug 21st 2009, 16:38 |
kiger |
[18:04] <kiger> $success = (bool)$db->update($this, $fields, $values); |
| # |
Aug 21st 2009, 16:38 |
kiger |
[18:04] <kiger> check line 1238 in the latest svn of model.php |
| # |
Aug 21st 2009, 16:37 |
markstory |
and should escape fields. |
| # |
Aug 21st 2009, 16:37 |
markstory |
Model::save() doesn't use updateAll |
| # |
Aug 21st 2009, 16:35 |
kiger |
But I never realized that Model::save() does not escape stuff either when you set Model->id because it will also use update. |
| # |
Aug 21st 2009, 16:34 |
kiger |
Basically, I didn't know that updateAll() doesn't escape stuff; the docs say it doesn't so no problem |
| # |
Aug 21st 2009, 16:32 |
kiger |
Should I mention it in here or does someone want me to explain in a pm? |
| # |
Aug 21st 2009, 16:32 |
kiger |
I think, and of course I'm probably wrong, I found a pretty big hole in cake regarding security that maybe many bakers don't know about? |
| # |
Aug 18th 2009, 10:24 |
kuja |
Ouch :| |
| # |
Aug 17th 2009, 12:53 |
ProLoser|Work1 |
!log |
| # |
Aug 16th 2009, 19:30 |
ProLoser |
!seen techno-dude |
| # |
Aug 16th 2009, 18:11 |
proloser |
!seen ad7six |
| # |
Aug 15th 2009, 15:56 |
sky_l3ppard |
hi poLK, i fixed the article, please take a look, when you have time, thanks |
| # |
Aug 15th 2009, 06:36 |
ADmad |
i kinda got lost what was your take on this ? |
| # |
Aug 15th 2009, 06:36 |
alkemann |
well at least he has more content than the other one, but i must stick to our discussion of yesterday |
| # |
Aug 15th 2009, 06:34 |
ADmad |
ya |
| # |
Aug 15th 2009, 06:34 |
alkemann |
oh by Jon |
| # |
Aug 15th 2009, 06:34 |
ADmad |
yup suddenly people are too interested in that topic :) |
| # |
Aug 15th 2009, 06:33 |
alkemann |
another one? |
| # |
Aug 15th 2009, 06:31 |
ADmad |
alkemann: you checked this other canonical helper http://bakery.cakephp.org/articles/view/canonical-helper ? |
| # |
Aug 14th 2009, 16:29 |
markstory |
plus you can use shouty <HTML> |
| # |
Aug 14th 2009, 16:29 |
alkemann |
many smarter and more versed in the issue than me has written volumes about it on the web, that im sure is just a google away if you are really interested |
| # |
Aug 14th 2009, 16:27 |
ADmad |
and you want html4strict becuase ? |
| # |
Aug 14th 2009, 16:27 |
alkemann |
what you "like" is not relevant to the issue |
| # |
Aug 14th 2009, 16:26 |
ADmad |
whats bad about prefering stuff like lowercase tagnames and attributes, tags closing with /> etc |
| # |
Aug 14th 2009, 16:24 |
alkemann |
a lot of people use bad tools. because they like them or are used to them. thats fine. tool makers should make good tools though |
| # |
Aug 14th 2009, 16:22 |
markstory |
most do |
| # |
Aug 14th 2009, 16:21 |
ADmad |
i just go with 1.0 |
| # |
Aug 14th 2009, 16:20 |
markstory |
not like xhtml 1.1 ever worked. |
| # |
Aug 14th 2009, 16:20 |
ADmad |
until that new road is fully paved and ready to tread i will stick to my dead end |
| # |
Aug 14th 2009, 16:19 |
markstory |
xhtml5 lives on! |
| # |
Aug 14th 2009, 16:18 |
ADmad |
give an option, yes would like that.. go back, i would say no |
| # |
Aug 14th 2009, 16:16 |
alkemann |
since we are sorta on the issue, can we make the helper go back to html4strict? |
| # |
Aug 14th 2009, 16:16 |
poLK |
I dislike mozilla way how they hacked view class |
| # |
Aug 14th 2009, 16:16 |
markstory |
need another map var. |
| # |
Aug 14th 2009, 16:16 |
markstory |
poLK: that setup conflicts with passing params to helpers. |