Page 29 of 134, showing 100 records out of 13,394 total, starting on record 2,801, ending on 2,900
| # | Username | Text | |
|---|---|---|---|
| # | Aug 21st 2009, 16:52 | kiger | lemme try mysql |
| # | Aug 21st 2009, 16:52 | markstory | missed the i |
| # | Aug 21st 2009, 16:52 | markstory | no mysql |
| # | Aug 21st 2009, 16:52 | markstory | yes |
| # | Aug 21st 2009, 16:52 | kiger | markstory: that with mysqli? |
| # | Aug 21st 2009, 16:52 | markstory | shouldn't. |
| # | Aug 21st 2009, 16:52 | kiger | well, I use smallint; dunno if that affects anything |
| # | Aug 21st 2009, 16:51 | gwoo | try mysql |
| # | Aug 21st 2009, 16:51 | kiger | that's really odd |
| # | Aug 21st 2009, 16:51 | markstory | where salary is an integer field. |
| # | Aug 21st 2009, 16:51 | kiger | right; I guess it simply means that if there are any integer fields editable by a user, then be careful because this can happen; therefore always cast your data... |
| # | Aug 21st 2009, 16:51 | markstory | with an integer field I get UPDATE `player_transactions` SET `salary` = 'fucked --', `modified` = '2009-08-21 18:15:07' WHERE `player_transactions`.`id` = '1' |
| # | Aug 21st 2009, 16:51 | gwoo | feel free to hack your own code :) |
| # | Aug 21st 2009, 16:50 | gwoo | from being able to use forms to do it |
| # | Aug 21st 2009, 16:50 | gwoo | the goal is to prevent users |
| # | Aug 21st 2009, 16:50 | gwoo | yes, developers will always be able to inject |
| # | Aug 21st 2009, 16:50 | kiger | just to see what cake does |
| # | Aug 21st 2009, 16:49 | kiger | UPDATE `products` AS `Product` SET `Product`.`total_products` = total_products + 1 -- WHERE `id` = 1 |
| # | Aug 21st 2009, 16:49 | markstory | why are you putting sql into integer fields? |
| # | Aug 21st 2009, 16:49 | kiger | results in this: |
| # | Aug 21st 2009, 16:49 | kiger | $this->Manufacturer->Product->save(array('Product'=>array('total_products'=>'total_products + 1 --')), false); |
| # | Aug 21st 2009, 16:48 | kiger | $this->Manufacturer->Product->id = 1; |
| # | Aug 21st 2009, 16:48 | kiger | mysqli |
| # | Aug 21st 2009, 16:47 | gwoo | kiger: what dbo? |
| # | Aug 21st 2009, 16:47 | kiger | lemme paste what I have (only a few lines): |
| # | Aug 21st 2009, 16:47 | kiger | no I really have a "total_products" field; and that field allowed for the injection |
| # | Aug 21st 2009, 16:47 | markstory | but they should be intval() |
| # | Aug 21st 2009, 16:47 | markstory | well integers are not quoted... |
| # | Aug 21st 2009, 16:46 | proloser | your username field is an integer field? |
| # | Aug 21st 2009, 16:46 | kiger | my examples were using a string, but my real code was performed on a integer |
| # | Aug 21st 2009, 16:46 | kiger | crud sorry; try it on an integer field |
| # | Aug 21st 2009, 16:46 | markstory | doesn't do it for me. |
| # | Aug 21st 2009, 16:45 | gwoo | kiger: around strings it would add 'test --' |
| # | Aug 21st 2009, 16:45 | gwoo | updateAll does not |
| # | Aug 21st 2009, 16:45 | gwoo | kiger: save adds the ` |
| # | Aug 21st 2009, 16:44 | kiger | So I tested out some injection on Model::save() and found this out ;( |
| # | Aug 21st 2009, 16:43 | kiger | I was fooling with prepared statements using $this->query() last night (thanks for the patch btw markstory; it really kicks ass) but was curious about switching over to standard $this->save() and $this->updateAll(). I found it interesting that you cannot use prepared statements with updateAll() though which makes it very difficult to securely use; so I looked at what Model::save() does, but it just passes the stuff to update(). |
| # | Aug 21st 2009, 16:42 | proloser | hmm |
| # | Aug 21st 2009, 16:40 | kiger | because the '--' comments everything else out afterwords (e.g., the WHERE id = 5) |
| # | Aug 21st 2009, 16:40 | kiger | Here is the string I tried: $this->save(array('User'=>array('username'=>'test --')), false) which resulted in everyone's username being changed to 'test' |
| # | Aug 21st 2009, 16:39 | markstory | updateAll is supposed to. |
| # | Aug 21st 2009, 16:39 | kiger | well updateAll() clearly does, but doing an update through save() does too |
| # | Aug 21st 2009, 16:39 | kiger | So I do $this->User->id = $userId |
| # | Aug 21st 2009, 16:39 | markstory | so you're saying all update commands allow sql injection? |
| # | Aug 21st 2009, 16:38 | kiger | I allow users to edit their account on my box |
| # | Aug 21st 2009, 16:38 | markstory | ok |
| # | Aug 21st 2009, 16:38 | kiger | [18:04] <kiger> check line 1238 in the latest svn of model.php |
| # | Aug 21st 2009, 16:38 | kiger | [18:04] <kiger> $success = (bool)$db->update($this, $fields, $values); |
| # | Aug 21st 2009, 16:37 | markstory | and should escape fields. |
| # | Aug 21st 2009, 16:37 | markstory | Model::save() doesn't use updateAll |
| # | Aug 21st 2009, 16:35 | kiger | But I never realized that Model::save() does not escape stuff either when you set Model->id because it will also use update. |
| # | Aug 21st 2009, 16:34 | kiger | Basically, I didn't know that updateAll() doesn't escape stuff; the docs say it doesn't so no problem |
| # | Aug 21st 2009, 16:32 | kiger | Should I mention it in here or does someone want me to explain in a pm? |
| # | Aug 21st 2009, 16:32 | kiger | I think, and of course I'm probably wrong, I found a pretty big hole in cake regarding security that maybe many bakers don't know about? |
| # | Aug 18th 2009, 10:24 | kuja | Ouch :| |
| # | Aug 17th 2009, 12:53 | ProLoser|Work1 | !log |
| # | Aug 16th 2009, 19:30 | ProLoser | !seen techno-dude |
| # | Aug 16th 2009, 18:11 | proloser | !seen ad7six |
| # | Aug 15th 2009, 15:56 | sky_l3ppard | hi poLK, i fixed the article, please take a look, when you have time, thanks |
| # | Aug 15th 2009, 06:36 | ADmad | i kinda got lost what was your take on this ? |
| # | Aug 15th 2009, 06:36 | alkemann | well at least he has more content than the other one, but i must stick to our discussion of yesterday |
| # | Aug 15th 2009, 06:34 | ADmad | ya |
| # | Aug 15th 2009, 06:34 | alkemann | oh by Jon |
| # | Aug 15th 2009, 06:34 | ADmad | yup suddenly people are too interested in that topic :) |
| # | Aug 15th 2009, 06:33 | alkemann | another one? |
| # | Aug 15th 2009, 06:31 | ADmad | alkemann: you checked this other canonical helper http://bakery.cakephp.org/articles/view/canonical-helper ? |
| # | Aug 14th 2009, 16:29 | markstory | plus you can use shouty <HTML> |
| # | Aug 14th 2009, 16:29 | alkemann | many smarter and more versed in the issue than me has written volumes about it on the web, that im sure is just a google away if you are really interested |
| # | Aug 14th 2009, 16:27 | ADmad | and you want html4strict becuase ? |
| # | Aug 14th 2009, 16:27 | alkemann | what you "like" is not relevant to the issue |
| # | Aug 14th 2009, 16:26 | ADmad | whats bad about prefering stuff like lowercase tagnames and attributes, tags closing with /> etc |
| # | Aug 14th 2009, 16:24 | alkemann | a lot of people use bad tools. because they like them or are used to them. thats fine. tool makers should make good tools though |
| # | Aug 14th 2009, 16:22 | markstory | most do |
| # | Aug 14th 2009, 16:21 | ADmad | i just go with 1.0 |
| # | Aug 14th 2009, 16:20 | markstory | not like xhtml 1.1 ever worked. |
| # | Aug 14th 2009, 16:20 | ADmad | until that new road is fully paved and ready to tread i will stick to my dead end |
| # | Aug 14th 2009, 16:19 | markstory | xhtml5 lives on! |
| # | Aug 14th 2009, 16:18 | ADmad | give an option, yes would like that.. go back, i would say no |
| # | Aug 14th 2009, 16:16 | alkemann | since we are sorta on the issue, can we make the helper go back to html4strict? |
| # | Aug 14th 2009, 16:16 | poLK | I dislike mozilla way how they hacked view class |
| # | Aug 14th 2009, 16:16 | markstory | need another map var. |
| # | Aug 14th 2009, 16:16 | markstory | poLK: that setup conflicts with passing params to helpers. |
| # | Aug 14th 2009, 16:16 | alkemann | u tell cake to put a different class instance in $html variable, but intention is that this new helper extends the one one expects to be there? |
| # | Aug 14th 2009, 16:16 | poLK | declared to use in controller by $helpers = array('Html' => 'Canonical', 'Form', ...); |
| # | Aug 14th 2009, 16:15 | poLK | alkemann: no, to overwrite meta() method in CanonicalHelper extending HtmlHelper, and then use it from views like $html->meta('canonical') |
| # | Aug 14th 2009, 16:13 | alkemann | to add one method to do one line of code? |
| # | Aug 14th 2009, 16:13 | poLK | I still think this way for replacing core helpers would be sweet |
| # | Aug 14th 2009, 16:13 | alkemann | i dont think that helper is a reasonable solution to this issue. poLK gave two much better using the existing html helper |
| # | Aug 14th 2009, 16:12 | poLK | (time to chat about ... again' |
| # | Aug 14th 2009, 16:12 | poLK | markstory: probably time to chat about var $helpers = array('Html' => 'Canonical'); (class CanonicalHelper extends HtmlHelper, and then $html->meta('canonical')) |
| # | Aug 14th 2009, 16:10 | markstory | but making a helper is a reasonable solution. |
| # | Aug 14th 2009, 16:09 | poLK | +1 |
| # | Aug 14th 2009, 16:08 | markstory | well I think the article is fine as it, making a separate helper is a bit overkill, you can do it with HtmlHelper right now, just not as nice. |
| # | Aug 14th 2009, 16:06 | alkemann | so get the patch in and tell the guy to rewrite the article as a tutorial? linking to the commit for people that cant wait |
| # | Aug 14th 2009, 16:03 | markstory | right. |
| # | Aug 14th 2009, 16:02 | alkemann | the words "just" and "to" makes a big difference in that sentence ;) |
| # | Aug 14th 2009, 16:02 | markstory | which I've been doing as I find them. |
| # | Aug 14th 2009, 16:02 | markstory | just have to document the options. |
| # | Aug 14th 2009, 16:02 | markstory | nuh uh. |
| # | Aug 14th 2009, 16:02 | alkemann | well yea, except this sort of api gets hidden in the Api |