The Propel ORM documentation mentions a neat import/export feature using functions like fromArray and fromJSON, that should allow something like this:
$foo = new Widget();
$foo->fromArray($_POST);
$foo->save(); /* Aaand you're done! */
...but the documentation doens't mention if using fromArray this way is supposed to be safe, i.e. if fromArray can handle untrusted input. My guess would be that it's all right - the default setters are injection-proof, and the whole deal is based on PDO - but I'd like to be sure.
Propel not only uses PDO for the queries, it also utilizes Prepared Statements via PDO, which are pretty good when it comes to mitigating SQL Injection attacks (and performance enhancing).
Note that just using PDO does NOT guarantee any protection against SQL Injection, always use Prepared Statements.
So as an answer to your question, yes, Propel fully utilizes PDO's abilities to protect from SQL Injection.
Propel is safe as Adnan said, but when you decide to use the fromArray() method, never pass the $_POST global variable directly. Otherwise, you open the door to the mass assignment attack.
You always have to check input data, in other words, you should never trust your users.
Related
Is it safe to load data into the model via load() method?
In $model there is only name and email properties, that have only "string" validator.
if ($model->load(Yii::$app->request->post() && $model->save()){
}
When i do something like shown above, is it safe against sql injection?
Yes it is! (sorry I couldn't resist the joke).
Actually the model is an abstraction from the database, so it does not care about what DB your are using and/or what problems could occur. Usually, in Yii2 most of the DB operations occur via ActiveRecord, that uses PDO prepared statements
that prevent SQL injection atacks.
If you won't be using ActiveRecord though, I recommend you to read this.
Im using the Propel framework, for communication with a database. I figured that it's using PDO and makes a bindParam(), when I try to make an input, so SQL injections should be covered.
But does it provide extra seucurity such as strip_tags(), htmlspecialchars() or similar stuff, or should I do this manually?
I have used PDO before so I know the basics, but it's the first time im using Propel.
I would not expect an ORM to protect against XSS attacks. That is a problem that has nothing to do with the database layer (and would cause you problems if you wanted to store HTML).
The only "security" that Propel provides is the parameter binding that you mention. Anything beyond that could cause issues if someone does want to store html tags, special characters, etc. That said, you can extend Propel to do that for you if necessary. For example, you could override the setXxxx() method(s) in your class:
class Book extends BaseBase {
...
public static function setTitle($v) {
return parent::setTitle(strip_tags($v));
}
...
}
Doing something like the above will let you execute strip_tags() on the Book title any time it is set. Since Propel uses the setter method anywhere it can, you should be good. Of course, YOUR code has to actually use that setter everywhere to ensure it happens.
I have heard, (thanks to SO) that mysql_* family of functions is vulnerable to SQL injections, so it is always recommended to use mysqli_* OR PDO approach.
So, I tried to trace out which of these approaches is used in Codeigniter as I have been using CI since 4 months. But I could not get it out.
Can anybody tell me which of these or any other approach is used in CI?
Thanks in advance.
CodeIgniter uses whichever method you choose, based on your config/database.php file. For example, if you choose mysqli as your driver, it will use the mysqli family of functions. If you choose mysql, it will use the mysql family, and so on.
There is a PDO driver, but it's not the most stable thing in the world in the current releases.
If you're using the "active record" functions in CodeIgniter (which should really be called "query builder" functions, since they don't follow the Active Record pattern), then all of your data is automatically sanitized with the appropriate functions. If you say, for example, $this->db->where('field', $value), and you're using the mysqli driver, CodeIgniter will automatically call mysqli_real_escape_string on the $value input you pass to it, rendering the query safe.
I should also note that this automatic sanitization only applies to the active record helper functions, like $this->db->get and the like. If you try to run your own query using $this->db->query("SELECT * FROM table WHERE field = '" . $field . "'") then you need to take care to protect yourself, since you're bypassing CodeIgniter's security mechanisms. Running a query directly with the query() method is like saying "don't worry, I know what I'm doing." You need to specifically ask CodeIgniter to sanitize certain values for you by calling $this->db->escape() or its related functions. If you just concatenate variables into your query, then you're going to open yourself up to SQL injections.
I was wondering if when using the database library in Codeigniter there was a way to automatically escape all the inputs to prevent injection. I know I can use mysql_real_escape_string() to do it, but I wondered it this was already setup to do this automatically, if not are there any frameworks that have this included?
Thanks!
In order to use prepared statements, you can simply use query bindings with CodeIgniter.
$query = 'SELECT id, name FROM user WHERE name = ?';
$bind = array('Jake');
$this->db->query($query, $bind);
More info found here.
CakePHP runs all model queries through its own methods, if you use the model methods it automatically sanitizes any data passed to the query for you. i.e
$options['conditions'] = array('Product.status'=>$status);
$this->Product->find('first',$options);
Right, pretty much all frameworks that implement any sort of database abstraction/ORM layer will automatically mysql_real_espace your queries. If you don't want to use an entire framework, consider a generic ORM library like Propel or Doctrine. Alternatively, look into prepared statements.
Does CakePHP check inputs to see if they are valid and not injections? If not, how would I go about implementing functions to check inputs? Most of Cake's processes are done behind the scenes, so I'm unsure of where I would do that.
CakePHP's ORM functionality automatically cleans up any input to prevent SQL injection.
You can use the sanitize class in the controller to prevent against sql injections, specifically the escape method.
To give a quick example for posted input:
if(!empty($this->data)
{
App::import('Sanitize');
$this->data['Model']['dirtyInput'] = Sanitize::escape($this->data['Model']['dirtyInput', 'default');
}
Also, check out the clean method for a way to clean both HTML and sql injections from your whole $this->data array