Does CakePHP check inputs to see if they are valid and not injections? If not, how would I go about implementing functions to check inputs? Most of Cake's processes are done behind the scenes, so I'm unsure of where I would do that.
CakePHP's ORM functionality automatically cleans up any input to prevent SQL injection.
You can use the sanitize class in the controller to prevent against sql injections, specifically the escape method.
To give a quick example for posted input:
if(!empty($this->data)
{
App::import('Sanitize');
$this->data['Model']['dirtyInput'] = Sanitize::escape($this->data['Model']['dirtyInput', 'default');
}
Also, check out the clean method for a way to clean both HTML and sql injections from your whole $this->data array
Related
Is it safe to load data into the model via load() method?
In $model there is only name and email properties, that have only "string" validator.
if ($model->load(Yii::$app->request->post() && $model->save()){
}
When i do something like shown above, is it safe against sql injection?
Yes it is! (sorry I couldn't resist the joke).
Actually the model is an abstraction from the database, so it does not care about what DB your are using and/or what problems could occur. Usually, in Yii2 most of the DB operations occur via ActiveRecord, that uses PDO prepared statements
that prevent SQL injection atacks.
If you won't be using ActiveRecord though, I recommend you to read this.
I am writing a search function that enables users to search a particular table on my database. My website runs on CodeIgniter.
For the search function, I use $_GET instead of the CodeIgniter $this->input-get() since I had trouble using the latter within a helper function.
Now, here's a security question:
What is the best way to sanitize and filter malicious characters in the $_GET array in order to prevent XSS and SQL injection?
Bearing in mind that data in the $_GET array will be used to query the database and retrieve info from it.
Is there a recursive way to clean the entire $_GET array without having to go thru one by one element?
Should I use PHP's filter methods or CodeIgniter's?
Any advice will be greatly appreciated!
Thanks in advance!
Codeigniter disables $_GET by default. Using the URI class you can simulate $_GET variables:
GET parameters in the URL with CodeIgniter
You can hack around it and use $_GET, which it sounds like you've done. But I wouldn't recommend that. You should use CodeIgniter's Input class. That provides XSS filtering and you can clean the entire $_GET array by running:
$this->input->get(NULL, TRUE); // returns all GET items with XSS filter
If you use Codeigniter's database utility class to run your queries, it has an escape function built in. Look at the Escaping Queries section.
http://ellislab.com/codeigniter/user-guide/database/queries.html
You can use $this->db->escape($variable) to escape values in queries. It is strongly recommended to use CI's input class though.
Read more at : http://ellislab.com/codeigniter/user-guide/database/queries.html
The Propel ORM documentation mentions a neat import/export feature using functions like fromArray and fromJSON, that should allow something like this:
$foo = new Widget();
$foo->fromArray($_POST);
$foo->save(); /* Aaand you're done! */
...but the documentation doens't mention if using fromArray this way is supposed to be safe, i.e. if fromArray can handle untrusted input. My guess would be that it's all right - the default setters are injection-proof, and the whole deal is based on PDO - but I'd like to be sure.
Propel not only uses PDO for the queries, it also utilizes Prepared Statements via PDO, which are pretty good when it comes to mitigating SQL Injection attacks (and performance enhancing).
Note that just using PDO does NOT guarantee any protection against SQL Injection, always use Prepared Statements.
So as an answer to your question, yes, Propel fully utilizes PDO's abilities to protect from SQL Injection.
Propel is safe as Adnan said, but when you decide to use the fromArray() method, never pass the $_POST global variable directly. Otherwise, you open the door to the mass assignment attack.
You always have to check input data, in other words, you should never trust your users.
I am using codeigniter, and at the moment I am making full body search, and I am wondering what is the best practice to do this. For now I have this:
$keyword = $this->db->escape_like_str(trim($_POST['keyword']));
After that, search is performed. Is this safe or I need to do something more (XSS Filtering is on)?
Because you are accessing the _POST variable directly, you're bypassing all CI's XSS/Escaping and security features. You should be getting that as:
$this->input->post('keyword');
This is automatically escaped by CI, and you can perform other validations before just throwing it at the DB. Also if you use active record, then all values are automatically escaped as required too.
I was wondering if when using the database library in Codeigniter there was a way to automatically escape all the inputs to prevent injection. I know I can use mysql_real_escape_string() to do it, but I wondered it this was already setup to do this automatically, if not are there any frameworks that have this included?
Thanks!
In order to use prepared statements, you can simply use query bindings with CodeIgniter.
$query = 'SELECT id, name FROM user WHERE name = ?';
$bind = array('Jake');
$this->db->query($query, $bind);
More info found here.
CakePHP runs all model queries through its own methods, if you use the model methods it automatically sanitizes any data passed to the query for you. i.e
$options['conditions'] = array('Product.status'=>$status);
$this->Product->find('first',$options);
Right, pretty much all frameworks that implement any sort of database abstraction/ORM layer will automatically mysql_real_espace your queries. If you don't want to use an entire framework, consider a generic ORM library like Propel or Doctrine. Alternatively, look into prepared statements.