SQL injection of group_key in yii save? - php

I have an feedback form in yii which simply takes input and save in database. I know yii uses PDO for data save but still it is SQL vulnerable.
Controller
public function actionFeedback()
{
$model = new Feedback;
// Uncomment the following line if AJAX validation is needed
// $this->performAjaxValidation($model);
if(isset($_POST['Feedback']))
{
$model->attributes = $_POST['Feedback'];
if($model->save())
$this->redirect(array('view','id'=>$model->id));
}
$this->render('feedback',array(
'model'=>$model,'managerList'=>$managerList,'branchList'=>$branchList,
));
}
Model
public function rules()
{
return array(
array('branch, manager,comments', 'required'),
array('branch,manager', 'length', 'max'=>5),
array('comments', 'length', 'min'=>10, 'max'=>'2000'),
);
}
View
<?php $form = $this->beginWidget('CActiveForm', array(
'id'=>'user-form',
'enableAjaxValidation'=>true,
'enableClientValidation'=>true,
)); ?>
<?php echo $form->errorSummary($model); ?>
<div class="row">
<?php echo $form->labelEx($model,'branch'); ?>
<?php echo $form->dropDownList($model,'branch', $branchList, array('prompt'=>'Select branch')); ?>
<?php echo $form->error($model,'branch'); ?>
</div>
<div class="row">
<?php echo $form->labelEx($model,'manager'); ?>
<?php echo $form->dropDownList($model,'manager', $managerList, array('prompt'=>'Select manager')); ?>
<?php echo $form->error($model,'manager'); ?>
</div>
<div class="row">
<?php echo $form->labelEx($model,'comments'); ?>
<?php echo $form->extArea($model, 'comments', array('rows'=>15, 'cols'=>75)); ?>
<?php echo $form->error($model,'comments'); ?>
</div>
<?php $this->endWidget(); ?>
For me it is sql injection safe as in save the insert query is like
INSERT INTO feedback (branch,manager,comments) VALUES (:yp0,:yp1,:yp2). Bound with :yp0 = '2',:yp1='4',':yp2'='hello this is an testing comments'
Still on testing this by third party I saw they inserted a query in this so my system gives error like
duplicate entry for 4CuJhL8T2Oc1 for key 'group_key'
I searched it an found this error but unable to regenerate it from my front end anyone please suggest how it generated also please provide help to get prevent from this
Any help is appreciated

Related

Yii form submition with CActiveForm

i just need to do a registration form, i'm battling with completing this task with CActiveForm. Basically its just inserting a new db record on form submit. This is what i have,
MyView
<!--begin a form-->
<?php $form = $this->beginWidget('CActiveForm', array(
'id'=>'user-registration-form',
'enableAjaxValidation'=>true,
'enableClientValidation'=>true,
'focus'=>array($model,'firstName'),
)); ?>
<!--error handling-->
<?php echo $form->errorSummary($model); ?>
<div class="row">
<?php echo $form->labelEx($model,'firstName'); ?>
<?php echo $form->textField($model,'firstName'); ?>
<?php echo $form->error($model,'firstName'); ?>
</div>
<div class="row">
<?php echo $form->labelEx($model,'lastName'); ?>
<?php echo $form->textField($model,'lastName'); ?>
<?php echo $form->error($model,'lastName'); ?>
</div>
<div class="row">
<?php echo $form->labelEx($model,'age'); ?>
<?php echo $form->textField($model,'age'); ?>
<?php echo $form->error($model,'age'); ?>
</div>
<?php $this->endWidget(); ?>
<!--end a form-->
My Controller that renders the above view, this where i'm stuck, I also created a model called User(haven't done any code in it, default)
class RegisterController extends Controller
{
public function actionIndex()
{
$model = User::
$this->render('index', array('model'=>$model));
}
}
From my research i found there is something like, jst dnt know how to use it
link
$post=new Post;
$post->title='sample post';
$post->content='post body content';
$post->save();
Thanks in advance

You need to do in your actionIndex:
public function actionIndex()
{
$model = new User;
if(isset($_POST['User']))
{
$model->attributes = $_POST['User'];
if($model->save())
//Do any stuff here. for example redirect to created user view.
}
$this->render('index', array('model'=>$model));
}
I recommend you to read the Building a blog system with Yii tutorial. This is very good resource for learning yii better and also learn you the most important parts of any web application.

display view page with data from two models in yii

I have two models Register and Login.I insert data into these two tables from a single form,I want to display the entered data in a single view page,ie data from two models in a single view.php.
RegisterController.php
public function actionCreate()
{
$model = new Register;
$modelLogin = new Login;
$modelGenerate = new Generate;
$row = Generate::model()->findByPk('1') ;
$gen_reg = $row['gen_reg'];
$gen_log = $row['gen_log'];
// Uncomment the following line if AJAX validation is needed
// $this->performAjaxValidation($model);
if(isset($_POST['btnRegister']))
{
$model->attributes=$_POST['Register'];
$modelLogin->attributes=$_POST['Login'];
$modelLogin->reg_id=$model->reg_id;
$valid = $model->validate();
$valid = $modelLogin->validate() && $valid;
if($model->save()&& $modelLogin->save())
$this->redirect(array('view','id'=>$modelLogin->log_id)
);
}
$this->render('create',array(
'model'=>$model,
'modelLogin'=>$modelLogin,
'gen_reg'=>$gen_reg,
'gen_log'=>$gen_log
));
}
_form.php
<?php $form=$this->beginWidget('CActiveForm', array(
'id'=>'register-form',
// Please note: When you enable ajax validation, make sure the corresponding
// controller action is handling ajax validation correctly.
// There is a call to performAjaxValidation() commented in generated controller code.
// See class documentation of CActiveForm for details on this.
'enableAjaxValidation'=>true,
)); ?>
<div class="row">
<?php echo $form->textField($model,'reg_id',array('size'=>10,'maxlength'=>10,'class'=>'txt'));?>
</div>
<div class="row">
<?php echo $form->labelEx($model,'username'); ?>
<?php echo $form->textField($model,'username',array('size'=>50,'maxlength'=>50,'class'=>'txt')); ?>
<?php echo $form->error($model,'username'); ?>
</div>
<div class="row">
<?php echo $form->labelEx($modelLogin,'email'); ?>
<?php echo $form->textField($modelLogin,'email',array('size'=>60,'maxlength'=>100,'class'=>'txt')); ?>
<?php echo $form->error($modelLogin,'email'); ?>
</div>
<div class="row">
<?php echo $form->labelEx($modelLogin,'password'); ?>
<?php echo $form->passwordField($modelLogin,'password',array('size'=>50,'maxlength'=>50,'class'=>'txt')); ?>
<?php echo $form->error($modelLogin,'password'); ?>
</div>
<div class="row">
<?php echo $form->labelEx($modelLogin,'passwordCompare'); ?>
<?php echo $form->passwordField($modelLogin,'passwordCompare',array('size'=>60,'maxlength'=>64,'class'=>'txt')); ?>
</div>
<div class="row">
<?php echo $form->labelEx($model,'mobile'); ?>
<?php echo $form->textField($model,'mobile',array('size'=>10,'maxlength'=>10,'class'=>'txt')); ?>
<?php echo $form->error($model,'mobile'); ?>
</div>
<div class="row">
<?php echo $form->textField($modelLogin,'log_id',array('size'=>10,'maxlength'=>10,'class'=>'txt'));?>
</div>
<div class="row buttons">
<?php echo CHtml::submitButton($model->isNewRecord ? 'Register' : 'Save',array('name'=>'btnRegister','class'=>'btn')); ?>
</div>
<?php $this->endWidget(); ?>
Relation in register model
public function relations()
{
// NOTE: you may need to adjust the relation name and the related
// class name for the relations automatically generated below.
return array(
'logins' => array(self::HAS_MANY, 'Login', 'reg_id'),
);
}
Relation in login model
public function relations()
{
// NOTE: you may need to adjust the relation name and the related
// class name for the relations automatically generated below.
return array(
'reg' => array(self::BELONGS_TO, 'Register', 'reg_id'),
);
}
I want to display data from two models(that i just inserted before)to be displayed on my view.php page.how can i achive this??? now i got the output as not set for fields from Login model.
view.php
$this->breadcrumbs=array(
'Register'=>array('index'),
$model->reg_id,
);
$this->menu=array(
array('label'=>'List Register', 'url'=>array('index')),
array('label'=>'Create Register', 'url'=>array('create')),
array('label'=>'Update Register', 'url'=>array('update', 'id'=>$model->reg_id)),
array('label'=>'Delete Register', 'url'=>'#', 'linkOptions'=>array('submit'=>array('delete','id'=>$model->reg_id),'confirm'=>'Are you sure you want to delete this item?')),
array('label'=>'Manage Register', 'url'=>array('admin')),
);
?>
<h1>View Register #<?php echo $model->reg_id; ?></h1>
<?php $this->widget('zii.widgets.CDetailView', array(
'data'=>$model,
'attributes'=>array(
'reg_id',
'username',
'mobile',
),
)); ?>
<?php $this->widget('zii.widgets.CDetailView', array(
'data'=>$row,
'attributes'=>array(
'log_id',
'password',
'email',
),
)); ?>

model validations not working when creating record in yii

I really don't know why is it happening my model validations are not working while creating record in yii.
doesn't display any errors .
The thing is if any of the required field is empty though it passes to the display page not displaying errors
but it doesn't insert the record as all required field a not filled.
My need is display errors in the same form i.e., validations should not pass if required fields are empty.
validation works with no issues in update, issues with create form
but it inserts the record if all required field are filled.
errors displayed in update are black not red as default by yii ...... is it due to the extension am using
model rules
array('name, category, model, brand, description, price', 'required'),
array('pimg', 'file','types'=>'jpg','on'=>'create'),
array('pimg', 'file','types'=>'jpg','on'=>'update', 'allowEmpty'=>true),
controller for create
$model=new controllername;
// Uncomment the following line if AJAX validation is needed
// $this->performAjaxValidation($model);
if(isset($_POST['controllername']))
{
$model->attributes=$_POST['controllername'];
$model->pimg=CUploadedFile::getInstance($model,'pimg');
$fileName = $model->pimg;
if($model->save())
$model->pimg->saveAs('images/'.$fileName);
$this->redirect(array('display','id'=>$model->productid));
}
$this->render('create',array(
'model'=>$model,
));
view
<?php $form=$this->beginWidget('CActiveForm',array(
'id'=>'form_name',
'enableAjaxValidation'=>false,
'htmlOptions'=>array('enctype'=>'multipart/form-data'),
)); ?>
<p class="note">Fields with <span class="required">*</span> are required.</p>
<?php echo $form->labelEx($model,'name'); ?>
<?php echo $form->textField($model,'name',array('size'=>60,'maxlength'=>60)); ?>
<?php echo $form->error($model,'name'); ?>
<?php echo $form->labelEx($model,'model'); ?>
<?php echo $form->textField($model,'model',array('size'=>30,'maxlength'=>30)); ?>
<?php echo $form->error($model,'model'); ?>
<?php echo $form->labelEx($model,'description'); ?>
<?php echo $form->textField($model,'description',array('size'=>60,'maxlength'=>256)); ?>
<?php echo $form->error($model,'description'); ?>
<?php echo $form->labelEx($model,'pimg'); ?>
<?php echo $form->hiddenField($model,'pimg',array('length'=>222)); ?>
<?php echo $form->fileField($model, 'pimg',array('id'=>'imgInput',)); ?>
<?php echo $form->error($model,'pimg'); ?>
<?php echo $form->labelEx($model,'category'); ?>
<?php echo $form->dropDownList($model,'category',$model->getCat()); ?>
<?php echo $form->error($model,'category'); ?>
<?php echo $form->labelEx($model,'brand'); ?>
<?php echo $form->textField($model,'brand',array('size'=>30,'maxlength'=>30)); ?>
<?php echo $form->error($model,'brand'); ?>
<?php echo $form->labelEx($model,'price'); ?>
<?php echo $form->textField($model,'price'); ?>
<?php echo $form->error($model,'price'); ?>
<?php echo CHtml::submitButton($model->isNewRecord ? 'Create' : 'Save'); ?>
<?php $this->endWidget(); ?>
can someone PLEASE tell me how can i achieve this . Thank you

try with
array('name, category, model, brand, description, price', 'required'),
array('pimg', 'file','types'=>'jpg','on'=>'insert', 'allowEmpty'=>false),
array('pimg', 'file','types'=>'jpg','on'=>'update', 'allowEmpty'=>true),

if you redirect a page, the error will not be shown,
your code redirects anyway, if (save()) or not .
add a {} after your if
if($model->save())
{
$model->pimg->saveAs('images/'.$fileName);
$this->redirect(array('display','id'=>$model->productid));
}

Create a delete page form in Yii Framework?

I know that usually you would just use the integrated CRUD delete button that is in admin however for my purposes I am requiring an actual page for delete that just has the id in a field and a submit button but so far it just produces the error view so any assistance is appreciated. I have tried to create it the same as my create and update pages are set up, please see the code below:
The link to the delete page:
<?php echo CHtml::link('Delete Article', array('delete', 'id'=>$pageid)); ?>
The link it produces:
http://local/..../Yii/news/index.php/delete?id=3
The controller:
public function actionDelete($id)
{
$model=$this->loadModel($id);
if(isset($_POST['news_model']))
{
$model->attributes=$_POST['news_model'];
if($model->save())
$this->redirect('index');
}
$this->render(array('delete', array(
'model'=>$model,
));
}
Delete.php:
<h2>Delete a news item</h2>
<?php echo $this->renderPartial('_form2', array('model'=>$model)); ?>
_form2.php
<?php echo $form->errorSummary($model); ?>
<?php $form=$this->beginWidget('CActiveForm', array(
'id'=>'news-model-form',
'enableAjaxValidation'=>false,
)); ?>
<div class="form">
<div class="row">
<?php echo $form->labelEx($model,'id'); ?><br>
<?php echo $form->textField($model,'id',array('size'=>50,'maxlength'=>128)); ?>
<?php echo $form->error($model,'id'); ?>
</div><br>
<div class="row buttons">
<?php echo CHtml::submitButton($model->isNewRecord ? 'Delete a news item'); ?>
</div>
<?php $this->endWidget(); ?>
</div><!-- form -->
Thanks in advance for any help given.

You got an error in your php synax in _form2.php
<?php echo CHtml::submitButton($model->isNewRecord ? 'Delete a news item'); ?>
more like
<?php echo CHtml::submitButton($model->isNewRecord ? 'Delete a news item':'Delete an old item'); ?>
See the Ternary Operator in PHP: Comparison Operators
... yet I don't se the point in that sentence, to me it would seem a little bit more like:
<?php if (!$model->isNewRecord) echo CHtml::submitButton("Delete Record"); ?>
... but the record is guaranteed to not be new when it is loaded by $model=$this->loadModel($id);
Also, In Delete.php
<?php echo $this->renderPartial('_form2', array('model'=>$model)); ?>
would be more like
<?php echo $this->renderPartial('_form2', array('model'=>$model), true); ?>
or
<?php $this->renderPartial('_form2', array('model'=>$model)); ?>
Seel the documentation renderPartial(), specially pay attention to its return value its third argument. Turns out that you're actually echoing NULL. which explains why there is no display.

Getting error in Yii Multimodel Form

I am a newbie to the Yii framework.I want a multimodel form so I just went through this link and made all things like this.I have two table, first is group and another is member.
Group
ID
name
Member
id
group_id
firstname
lastname
Now I have made models for both tables and CRUD as well.I made change to GroupController file like this
public function actionCreate()
{
$group = new Group;
$member = new Member;
if(isset($_POST['Group'],$_POST['Member'])) {
//Populate input data to $group and $member
$group->attributes = $_POST['Group'];
$member->attributes = $_POST['Member'];
//Validate both $group and $member
$validate = $group->validate();
$validate = $member->validate() && $valid;
if($valid){
$group->save(false);
$member->save(false);
}
}
$this->render('create',array(
'group'=> '$group',
'member'=> '$member',
));
$model=new Group;
// Uncomment the following line if AJAX validation is needed
// $this->performAjaxValidation($model);
if(isset($_POST['Group']))
{
$model->attributes=$_POST['Group'];
if($model->save())
$this->redirect(array('view','id'=>$model->id));
}
$this->render('create',array(
'model'=>$model,
));
}
and after changing the group >> View >> create.php file like this
<?php echo $this->renderPartial('_form', array('group'=>$group, 'member'=>$member)); ?>
The _form file is like this
<div class="form">
<?php $form=$this->beginWidget('CActiveForm', array(
'id'=>'group-form',
'enableAjaxValidation'=>false,
)); ?>
<p class="note">Fields with <span class="required">*</span> are required.</p>
<?php echo $form->errorSummary($group,$member); ?>
<div class="row">
<?php echo $form->labelEx($model,'name'); ?>
<?php echo $form->textField($model,'name'); ?>
<?php echo $form->error($model,'name'); ?>
</div>
<div class="row">
<?php echo $form->labelEx($member,'firstname'); ?>
<?php echo $form->textField($member,'firstname',array('size'=>60,'maxlength'=>128)); ?>
<?php echo $form->error($member,'firstname'); ?>
</div>
<div class="row buttons">
<?php echo CHtml::submitButton($model->isNewRecord ? 'Create' : 'Save'); ?>
</div>
<?php $this->endWidget(); ?>
</div><!-- form -->
but after all I am getting error like this Undefined variable: group .
So can some one please tell me how to solve this issue. I have lost one day behind this.So any help and suggestions will be highly appreciable.

You are doing multiple mistakes here ->
when you call
$this->render('create',array(
'model'=>$model,
));
you are not passing $group or $member models which you created in the group create controller. Change it to -
$this->render('create',array(
'group'=>$group,
'member'=>$member,
));
and secondly, there is no variable named $valid... change this part
$validate = $member->validate() && $valid;
if($valid){
to
$validate = $member->validate() && $validate;
if($validate){
now things should work fine

Categories