当前位置: 动力学知识库 > 问答 > 编程问答 >

security - Am I protected from MySQL injection when I am using $this->data?

问题描述:

I am new to cakephp and security. I have read that security is built in for protection from MySQL injection if you follow cake's conventions, but can someone tell me if my save() will be safe without manually calling the Security class?

function edit($id) {

$this->set('title', 'Edit your property');

$this->Unit->id = $id;

if (empty($this->data)) {

$this->data = $this->Unit->read();

} else {

if ($this->Unit->saveAll($this->data)) {

$this->Session->setFlash('Your property has been updated.');

}

}

}

网友答案:

CakePHP will quote the data for you. Unless you are using a method similar to:

$this_year = date('Y-m-d h:i:s', strtotime('-1 year'));

$this->Baker->updateAll(
    array('Baker.approved' => true),
    array('Baker.created <=' => $this_year)
);

which takes SQL literals, you are safe and must not quote the data yourself to avoid getting the quotes in the data. Source: http://book.cakephp.org/2.0/en/models/saving-your-data.html

网友答案:

Cake escapes the data IF you use the db-funcitons of cake (like $this->modelname->save($this->data) or $this->find(..)), be aware that if you use custom queries like $this->query("SELECT * FROM table WHERE id = '.$this->data['model']['id']); cake will NOT escape them, keep that in mind!

网友答案:

I will say no as your parameter is not specialised or sanitized anywhere. Something like this, would limit the risk

function edit($id) { 
   // type cast the id to be forced into number and check if $id has greater than 1 
   if((int)$id > 0) {

   // hence the injection vulnerability at $id is fixed
   //....remaining part
   }
}
分享给朋友:
您可能感兴趣的文章:
随机阅读: