doubo4824 2014-11-26 14:26
浏览 9
已采纳

CakePHP清理参数

I have the following method in my CakePHP model:

public function login($login,$password){

    $arr = $this->find('first',array(
        'conditions' => array(
            'deleted' => 0,
            'online' => 1,
            'login' => $login,
            'AES_DECRYPT(UNHEX(password),'secretkey')=\''.$password.'\''
        )
    ));


    return $arr;
}

This method accepts two parameters ($login, $password) to authenticate the user.

I am wondering if this method is safe against SQL-Injection and other attacks.

If not, which is the best way to sanitize the input parameters using CakePHP?

I see that the Sanitize Class is deprecated as of 2.4.

  • 写回答

3条回答 默认 最新

  • douyan1896 2014-11-26 18:33
    关注

    Model::find() is only safe when used properly!

    You must know that only values in key => value pairs are being escaped, keys and non/numerically keyd values are inserted into the SQL query as is!

    Quote from the docs

    CakePHP only escapes the array values. You should never put user data into the keys. Doing so will make you vulnerable to SQL injections.

    http://book.cakephp.org/2.0/en/models/retrieving-your-data.html#complex-find-conditions

    So your find() call as is, is unsafe and prone to SQL injections, it should instead look like this:

    $arr = $this->find('first',array(
        'conditions' => array(
            'deleted' => 0,
            'online' => 1,
            'login' => $login,
            'AES_DECRYPT(UNHEX(password),\'secretkey\')' => $password
        )
    ));
    

    That way the user input $login and $password is being escaped properly.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 C#中的编译平台的区别影响
  • ¥15 软件供应链安全是跟可靠性有关还是跟安全性有关?
  • ¥15 电脑蓝屏logfilessrtsrttrail问题
  • ¥20 关于wordpress建站遇到的问题!(语言-php)(相关搜索:云服务器)
  • ¥15 【求职】怎么找到一个周围人素质都很高不会欺负他人,并且未来月薪能够达到一万以上(技术岗)的工作?希望可以收到写有具体,可靠,已经实践过了的路径的回答?
  • ¥15 Java+vue部署版本反编译
  • ¥100 对反编译和ai熟悉的开发者。
  • ¥15 带序列特征的多输出预测模型
  • ¥15 Python 如何安装 distutils模块
  • ¥15 关于#网络#的问题:网络是从楼上引一根网线下来,接了2台傻瓜交换机,也更换了ip还是不行