| # |
Aug 21st 2009, 16:52 |
markstory |
missed the i |
| # |
Aug 21st 2009, 16:52 |
markstory |
no mysql |
| # |
Aug 21st 2009, 16:52 |
markstory |
yes |
| # |
Aug 21st 2009, 16:52 |
kiger |
markstory: that with mysqli? |
| # |
Aug 21st 2009, 16:52 |
markstory |
shouldn't. |
| # |
Aug 21st 2009, 16:52 |
kiger |
well, I use smallint; dunno if that affects anything |
| # |
Aug 21st 2009, 16:51 |
gwoo |
try mysql |
| # |
Aug 21st 2009, 16:51 |
kiger |
that's really odd |
| # |
Aug 21st 2009, 16:51 |
markstory |
where salary is an integer field. |
| # |
Aug 21st 2009, 16:51 |
kiger |
right; I guess it simply means that if there are any integer fields editable by a user, then be careful because this can happen; therefore always cast your data... |
| # |
Aug 21st 2009, 16:51 |
markstory |
with an integer field I get UPDATE `player_transactions` SET `salary` = 'fucked --', `modified` = '2009-08-21 18:15:07' WHERE `player_transactions`.`id` = '1' |
| # |
Aug 21st 2009, 16:51 |
gwoo |
feel free to hack your own code :) |
| # |
Aug 21st 2009, 16:50 |
gwoo |
from being able to use forms to do it |
| # |
Aug 21st 2009, 16:50 |
gwoo |
the goal is to prevent users |
| # |
Aug 21st 2009, 16:50 |
gwoo |
yes, developers will always be able to inject |
| # |
Aug 21st 2009, 16:50 |
kiger |
just to see what cake does |
| # |
Aug 21st 2009, 16:49 |
kiger |
UPDATE `products` AS `Product` SET `Product`.`total_products` = total_products + 1 -- WHERE `id` = 1 |
| # |
Aug 21st 2009, 16:49 |
markstory |
why are you putting sql into integer fields? |
| # |
Aug 21st 2009, 16:49 |
kiger |
results in this: |
| # |
Aug 21st 2009, 16:49 |
kiger |
$this->Manufacturer->Product->save(array('Product'=>array('total_products'=>'total_products + 1 --')), false); |
| # |
Aug 21st 2009, 16:48 |
kiger |
$this->Manufacturer->Product->id = 1; |
| # |
Aug 21st 2009, 16:48 |
kiger |
mysqli |
| # |
Aug 21st 2009, 16:47 |
gwoo |
kiger: what dbo? |
| # |
Aug 21st 2009, 16:47 |
kiger |
lemme paste what I have (only a few lines): |
| # |
Aug 21st 2009, 16:47 |
kiger |
no I really have a "total_products" field; and that field allowed for the injection |
| # |
Aug 21st 2009, 16:47 |
markstory |
but they should be intval() |
| # |
Aug 21st 2009, 16:47 |
markstory |
well integers are not quoted... |
| # |
Aug 21st 2009, 16:46 |
proloser |
your username field is an integer field? |
| # |
Aug 21st 2009, 16:46 |
kiger |
my examples were using a string, but my real code was performed on a integer |
| # |
Aug 21st 2009, 16:46 |
kiger |
crud sorry; try it on an integer field |
| # |
Aug 21st 2009, 16:46 |
markstory |
doesn't do it for me. |
| # |
Aug 21st 2009, 16:45 |
gwoo |
kiger: around strings it would add 'test --' |
| # |
Aug 21st 2009, 16:45 |
gwoo |
updateAll does not |
| # |
Aug 21st 2009, 16:45 |
gwoo |
kiger: save adds the ` |
| # |
Aug 21st 2009, 16:44 |
kiger |
So I tested out some injection on Model::save() and found this out ;( |
| # |
Aug 21st 2009, 16:43 |
kiger |
I was fooling with prepared statements using $this->query() last night (thanks for the patch btw markstory; it really kicks ass) but was curious about switching over to standard $this->save() and $this->updateAll(). I found it interesting that you cannot use prepared statements with updateAll() though which makes it very difficult to securely use; so I looked at what Model::save() does, but it just passes the stuff to update(). |
| # |
Aug 21st 2009, 16:42 |
proloser |
hmm |
| # |
Aug 21st 2009, 16:40 |
kiger |
because the '--' comments everything else out afterwords (e.g., the WHERE id = 5) |
| # |
Aug 21st 2009, 16:40 |
kiger |
Here is the string I tried: $this->save(array('User'=>array('username'=>'test --')), false) which resulted in everyone's username being changed to 'test' |
| # |
Aug 21st 2009, 16:39 |
markstory |
updateAll is supposed to. |
| # |
Aug 21st 2009, 16:39 |
kiger |
well updateAll() clearly does, but doing an update through save() does too |