sql 注入时 cakephp 验证失败

cakephp validation fails on sql injection

我在我的 firefox 浏览器上安装了一个名为 "SQL Inject Me" 的插件,然后我在我的 Cakephp 网站上尝试了它。我看到它能够注入几个空白帐户(一些有密码)和一些没有密码。数据库不允许接受用户名、电子邮件等的空值,我也不确定它是如何绕过 cakephp 验证的。

我对用户名字段的 cakephp 验证

        'username' => array(
            'username must not be empty' => array(
                'rule' => 'notEmpty',
                'message' => 'username field cannot be empty'
            ),


            'username must be unique' => array(
                'rule' => 'isUnique',
                'message' => 'username is already taken'

            )
            'username must not contain special character' => array(
                'rule' => 'usernameValidation',
                'message' => 'username can only contain numbers, characters, underscores, dashes and Periods. Underscore, dash and Period are only allowed in the middle.'
            )
        )

我认为您的验证键有误。应该是这样的..

var $validate = array(
    'username' => array(
        'notEmpty' => array(
            'rule' => 'notEmpty',
            'message' => 'username field cannot be empty'
        ),


        'isUnique' => array(
            'rule' => 'isUnique',
            'message' => 'username is already taken'

        )
        'usernameValidation' => array(
            'rule' => 'usernameValidation',
            'message' => 'username can only contain numbers, characters, underscores, dashes and Periods. Underscore, dash and Period are only allowed in the middle.'
        )
    )
)

在保存它们时,您只需调用验证函数来完成验证规则。下面link可以帮助您了解如何在保存数据的同时从控制器进行验证。

http://book.cakephp.org/2.0/en/models/data-validation/validating-data-from-the-controller.html

谢谢..!

将键 'required' => true, 'allowEmpty' => false 添加到您的验证数组。

验证失败,因为如果您使用 firebug 等开发人员工具从表单中删除字段,那么 cakephp 验证将不适用于那些已删除的字段。

我为解决这些问题所做的是在将数据传递到保存方法之前使用此代码。

            if(!(isset($this->request->data['User']['email']))){
                $this->request->data['User']['email']='';
            }
            if(!(isset($this->request->data['User']['username']))){
                $this->request->data['User']['username']='';
            }
            if(!(isset($this->request->data['User']['password']))){
                $this->request->data['User']['password']='';
            }
            if(!(isset($this->request->data['User']['confirm_password']))){
                $this->request->data['User']['confirm_password']='';
            }       

如果缺少字段,则此代码将添加该字段并为其分配一个空字符串。然后这些字段将有资格进行验证,最终将无法通过验证。