Question for inject html

warmoger · January 31, 2011, 10:23pm

The function rules() in my model, I code:




array(

	'level, updateTime, publish',

	

	'required',

	'on'=>'update',

),

But if I inject html (firebug):




<div class="input">

	<label for="User_username" class="label">Username</label>

	<input type="text" value="admin" maxlength="19" id="User_username" name="User[username]">

</div>

I still can change username field, if so my website isn’t safe, what is solution for that?

Thanks.

tonydspaniard · February 1, 2011, 12:01am

Dont really understand your question. Why don’t you want to change the username? Your question isn’t properly written. Could you be more specific?

IMHO, it is the task of the programmer to securely program the application to handle those modifications on the server. In my CMSs for example, I double check the username against the database and make them unique, the validation of the username against the DB with their correspondent passwords and salt values will find out you are doing shifty business.

If you modify the username on the client and I have just dropped the details of user: peter instead of admin, I will immediately detect if you have changed the username and give you a nice message or get you out of the application with a nice report sent to the administrator.

Cheers

warmoger · February 1, 2011, 1:05am

That means is I should check all what I don’t allow change value inside controller. Right?

eval · February 1, 2011, 1:18am

Based on the documentation:

So if you don’t have username on update scenario, i don’t think it can be massively assigned.

Not sure though … just my thought based on the docs.

zaccaria · February 1, 2011, 7:06am

Check the whole rules, if you have some general rule (without scenario) it will be applied to each scenario, including update.

Delete all rules about user_name, and you will notice that the username will not be massively assigned.

If you have some doubt, post here all your rules, and we’ll help you.

warmoger · February 1, 2011, 8:16am

Thanks

zaccaria · February 1, 2011, 8:52am

Did you solved?

What was the problem? Pease, post your solution here for help future readers of the forum!

warmoger · February 2, 2011, 11:21pm




            array(

                'id, password, createTime',

            

                'unsafe',

                'on'=>'update',

            )

I don’t want end-user can modify id, password, createTime fields by the way inject html in browser. I hope that I right.

zaccaria · February 3, 2011, 7:08am

That is correct, but a better design is to remove all standard validators and mark as safe the field you need.

Is the logic of "allow what is needed" against "forbid what is dangerous".

Anyway, as you noticed, this solution work fine too.

warmoger · February 14, 2011, 4:13am

Thank you so much, zaccaria!

If I have any question, I will ask you.