8. Schema free
Screen
Blog Blog collection
Title xxxx Title : xxxx
Text yyyy Text : yyyy
data Tag: [tag1,tag2,tag3]
tag1,tag2,tag3 Comment:
[
Comment1 comment1,
Comment2 comment2,
Comment3 comment3
]
@ichikaway http://cake.eizoku.com/blog/
63. Injection Attack
$user = $collection->find(array(
"username" => $_GET['username'],
"passwd" => $_GET['passwd']
));
● PHP makes array data from GET/POST request
●
ex. login.php?username=admin&passwd[$ne]=1
@ichikaway http://cake.eizoku.com/blog/
64. Injection Attack
$user = $collection->find(array(
"username" => $_GET['username'],
'admin',
"passwd" => $_GET['passwd']
array("$ne" => 1)
));
● PHP makes array data from GET/POST request
●
ex. login.php?username=admin&passwd[$ne]=1
@ichikaway http://cake.eizoku.com/blog/
65. Solution
●
Don't trust user input data
● GET/POST/Cookie
● Solution
● Cast to string
● Check all keys of array
@ichikaway http://cake.eizoku.com/blog/
66. Solution
Cast to string
@ichikaway http://cake.eizoku.com/blog/