Log message #990367

# At Username Text
# Aug 21st 2009, 16:52 markstory worst idea ever.
# Aug 21st 2009, 16:52 markstory mysqli is retarded
# Aug 21st 2009, 16:52 kiger lemme try mysql
# Aug 21st 2009, 16:52 markstory missed the i
# Aug 21st 2009, 16:52 markstory no mysql
# Aug 21st 2009, 16:52 markstory yes
# Aug 21st 2009, 16:52 kiger markstory: that with mysqli?
# Aug 21st 2009, 16:52 markstory shouldn't.
# Aug 21st 2009, 16:52 kiger well, I use smallint; dunno if that affects anything
# Aug 21st 2009, 16:51 gwoo try mysql
# Aug 21st 2009, 16:51 kiger that's really odd
# Aug 21st 2009, 16:51 markstory where salary is an integer field.
# Aug 21st 2009, 16:51 kiger right; I guess it simply means that if there are any integer fields editable by a user, then be careful because this can happen; therefore always cast your data...
# Aug 21st 2009, 16:51 markstory with an integer field I get UPDATE `player_transactions` SET `salary` = 'fucked --', `modified` = '2009-08-21 18:15:07' WHERE `player_transactions`.`id` = '1'
# Aug 21st 2009, 16:51 gwoo feel free to hack your own code :)
# Aug 21st 2009, 16:50 gwoo from being able to use forms to do it
# Aug 21st 2009, 16:50 gwoo the goal is to prevent users
# Aug 21st 2009, 16:50 gwoo yes, developers will always be able to inject
# Aug 21st 2009, 16:50 kiger just to see what cake does
# Aug 21st 2009, 16:49 kiger UPDATE `products` AS `Product` SET `Product`.`total_products` = total_products + 1 -- WHERE `id` = 1
# Aug 21st 2009, 16:49 markstory why are you putting sql into integer fields?
# Aug 21st 2009, 16:49 kiger results in this:
# Aug 21st 2009, 16:49 kiger $this->Manufacturer->Product->save(array('Product'=>array('total_products'=>'total_products + 1 --')), false);
# Aug 21st 2009, 16:48 kiger $this->Manufacturer->Product->id = 1;
# Aug 21st 2009, 16:48 kiger mysqli
# Aug 21st 2009, 16:47 gwoo kiger: what dbo?
# Aug 21st 2009, 16:47 kiger lemme paste what I have (only a few lines):
# Aug 21st 2009, 16:47 kiger no I really have a "total_products" field; and that field allowed for the injection
# Aug 21st 2009, 16:47 markstory but they should be intval()
# Aug 21st 2009, 16:47 markstory well integers are not quoted...
# Aug 21st 2009, 16:46 proloser your username field is an integer field?
# Aug 21st 2009, 16:46 kiger my examples were using a string, but my real code was performed on a integer
# Aug 21st 2009, 16:46 kiger crud sorry; try it on an integer field
# Aug 21st 2009, 16:46 markstory doesn't do it for me.
# Aug 21st 2009, 16:45 gwoo kiger: around strings it would add 'test --'
# Aug 21st 2009, 16:45 gwoo updateAll does not
# Aug 21st 2009, 16:45 gwoo kiger: save adds the `
# Aug 21st 2009, 16:44 kiger So I tested out some injection on Model::save() and found this out ;(
# Aug 21st 2009, 16:43 kiger I was fooling with prepared statements using $this->query() last night (thanks for the patch btw markstory; it really kicks ass) but was curious about switching over to standard $this->save() and $this->updateAll(). I found it interesting that you cannot use prepared statements with updateAll() though which makes it very difficult to securely use; so I looked at what Model::save() does, but it just passes the stuff to update().
# Aug 21st 2009, 16:42 proloser hmm
# Aug 21st 2009, 16:40 kiger because the '--' comments everything else out afterwords (e.g., the WHERE id = 5)