I have a basic Yii CActiveForm that I'm using to gather input from users, which then is inserted into a database [edit] via default Yii ActiveRecord models[/edit]. Like anyone, I want to make sure that a clever user doesn't drop my database via one of these fields.
The question is: does the Yii CActiveForm automatically sanitize input before it can do anything malicious? I can't find any documentation on this. Not sure if I need to spend time on it or it's already taken care of.
Thanks!
When you say "CActiveForm", I assume you mean using the Yii-generated models and controllers. CActiveForm doesn't automatically do any sanitizing for you, but if you use the ActiveRecord methods that Yii uses by default, it will generally do the PDO bindings for you based on the data types of each field. If you are creating your own queries using createCommand() or other method, you should define your own bindings.
If you want to see what's going on, you can turn on logging, e.g., to generate a file with the db commands, add this to your config file in the components->log array:
'components'=>array(
'log'=>array(
'class'=>'CLogRouter',
'routes'=>array(
array(
'class'=>'CFileLogRoute',
'levels'=>'trace, info',
'categories'=>'system.db.*',
'logFile'=>'db.log',
),
...
and if you see the update statements parameterized, you can be pretty sure they are using PDO bindings, which will prevent most, but not necessarily all, SQL attacks. (By default the log file is saved in your "runtime" directory, which you can then trace out. You can also have it displayed at the bottom of the web page or FireBug with CWebLogRoute, but that won't show all commands if a page gets redirected.)
CActiveForm does not automatically do any sanitation of user input. That said, some are more details about Yii security:
Cross-Site Scripting Security (XSS):
The Yii Guide post about it's security features:
http://www.yiiframework.com/doc/guide/1.1/en/topics.security
To summarize the link above, you can pretty easily enable the CHtmlPurifier filter to sanitize user input before your action fires, but it's not the default behavior.
Yii also has some features you can turn on to validate cookies and prevent cross-site request forgery, also mentioned in the link.
Database Security:
As for your concern about user input dropping your database, if you use Yii's standard Data Access Objects (like CActiveRecord) and MySql, the PDO bindings used to save data should prevent against 1st order SQL injection attacks.
Yii doesn't provide input sanitization feature. The CHtmlPurifier component is used used to sanitize the data to be displayed to end-users.
You can use PHP filter_input() function directly (http://us3.php.net/m...ilter-input.php) if you want to sanitize the input.
I get these answare from the below link
http://www.yiiframework.com/forum/index.php/topic/1041-how-to-sanitize-post/
Related
So currently in the project we have a collection of documents that don't require authentication to be read. They are write/update protected, but everyone can read.
What we are trying to prevent is that someone looks at the firebase endpoints and somehow manages to scrape the entire collection in json format (if this is even possible). The data is public, but I want it only to be accessible from our website.
One of the solutions we could think of was SSR (we are already using Next.js), but implementing SSR just for this reason doesn't seem very enticing.
Any suggestions would be appreciated.
EDIT:
Let me rephrase a little bit.
From what you see in the network tab, is it possible to forge/create a request to Firestore and get the entire collection instead of just the 1 document that was intended?
The best solution in your case is SSR. I know, it could sound as not enticing, but well, let's reason on when we should use SSR, then. In your use case, there is an important requirement: security. I think this is already a strong enough reason to justify the usage of SSR.
Also, creating an ad hoc service account for the next.js app, and securing the data with custom rules that allow the read of your data only to that service account, would only improve the overall security level.
Last: reading the data server side should make your site work a little faster, even if it would be difficult to notice, because we are talking about milliseconds. Notice that your page, as it is now, will need to be loaded, before the request to Firebase could be sent. This is adding a small delay. If the data is loaded server side, the delay is not added.
is it possible to forge/create a request to Firestore and get the entire collection instead of just the 1 document that was intended?
If you want to limit what people can request from a collection, you're looking for security rules. The most common model there is some form of ownership-based access control or role-based access control, but both of those require some way of identifying the user. This could be anonymously (so without them entering credentials), but it'd still be a form of auth.
If you don't want to do that, you can still control how much data can be gotten through the API in one go. For example, if you in the security rules allow get but not list, the user can only request a document once they know its ID. Even if you allow list, you can control in rules what queries are allowed.
I think one approach could be writing a Cloud Function that retrieves this public data using the admin SDK. Then, you could set a rule that nobody can read those documents. This means that only your Cloud Function with the admin SDK will have access to those documents.
Finally, you could set up AppCheck for that specific Cloud Function, this way, you ensure that the request is coming from your client app only.
https://firebase.google.com/docs/app-check
I want to host a clean, branded site that allows users to submit data which I will post process on some regular cadence and send custom emails based on data processing results. I can write code and have extensive experience with AWS, but am looking for the fastest solution.
Any experienced web developers have suggestions of which hosting solution to use? Wix, Squarespace, WordPress. I would prefer Squarespace but am not finding clear documentation stating I can create a form which writes to a database (I.e. DynamoDB, Redshift).
Any suggestions would be great! Thanks!
Having a good deal of experience with Squarespace, I will address the question "Is it possible to connect a Squarespace form to a third-party database and, if so, by what means?". While I won't address Wix or Wordpress, hopefully it will provide some objective answers and provide some help to your larger context/question.
Squarespace doesn't support any server-side code; it only supports supports the addition of HTML, CSS and Javascript within Code Injection, Code Blocks, and Developer Mode.
Therefore, your options are:
Send the data client-side with JavaScript. Write your own HTML form and insert it via code block, markdown block, of developer mode. Then write the corresponding JavaScript to send the data, on submit, to your external database. Alternatively, use a Squarespace form block, prevent the default submission from executing and use your own methods instead.
Connect the Squarespace form block to a Google Sheet and the sheet to the external DB via Apps Script. Once connected, use Apps Script (set to trigger when a row is added to the sheet) to obtain the submission from the sheet and send it to your external database (similar to this or this, but you'll be going "the other way", sending data to the external DB from Apps Script).
Use Zapier (or similar service) to bridge the gap, either using Squarespace's built-in integration or setting up Zapier on your own and setting the Zapier email address as the email recipient. You can use Zapier to send form submissions to a new item in DynamoDB, for example. It appears that, at a minimum, you'd have to pay for Zapier as that is a "Premium Integration". For Squarespace, if you were to use their built-in Zapier integration, you'll have to pay for a higher-cost plan (which could be avoided by using the email storage option instead, as mentioned previously).
I think you should choose WordPress, they have a huge documentation, a big community, you can get a ton of support from Wordpress's users when you run into a problem.
Single Page Application which is developed in angular JS. I Just wanted to know the audit of the user activity in the front end timeline based on the users interaction with the database.
The database layer is done using HIBERNATE and controller layer with JERSEY Restful web-services. I wants to Audit the user operations on add,modify,delete etc in the UI while interacting with the hibernate.
I have gone through some posts , Some suggests JPA API for hibernate auditing, some suggests Spring DATA to achieve it. I Wanted the audit data to be shown up when user interacts with the system as well as arranging it in the back-end also.
Help me from the best architecture perceptive,flow or road-map to achieve it and also give me some learning tutorials.
Thanks in advance
Based on the assumption that by auditing you mean to be able track the change history that is made to entity rows at the database level, then yes Hibernate has an extension called Hibernate Envers that does this for you.
You can find documentation on Envers here
The jist is that you simply need to annotate your entities with #Audited either at the class level or on a per property level, supply a few configuration parameters at the time you construct either your EntityManagerFactory or SessionFactory and make sure you have the appropriate tables created in your database.
Once the revision tracking has started, you can then easily query for audit changes by using the org.hibernate.envers.AuditReader interface. See the documentation for how to obtain this.
Let's assume that you are working at the first version of a new Django application and you are keep adding changing the models.
Being a data-driven application you are mostly working to customize django admin.
In this case syncdb is not too useful because it will fail to update models. South was interesting but it does not make too much sense when you are working at the first version.
Deleting database and reinitializing it require several commands and also you manually entering the new admin account.
How do you propose to set your development environment so you can:
auto-restart django server when files changed
auto-reinitialize database when django is restarted
As a result, I expect to be able to add a new attribute to a model, switch to the browser and refresh the admin page and see the new attribute.
Providing initial data for models
It’s sometimes useful to pre-populate your database with hard-coded data when you’re first setting up an app. There’s a couple of ways you can have Django automatically create this data: you can provide initial data via fixtures, or you can provide initial data as SQL.
In general, using a fixture is a cleaner method since it’s database-agnostic, but initial SQL is also quite a bit more flexible.
http://docs.djangoproject.com/en/dev/howto/initial-data/
I was wondering if you could help me work through accessing the html behind a login page using C and libcurl.
Specific Example:
The website I'm trying to access is https://onlineservices.ubs.com/olsauth/ex/pbl/ubso/dl
Is it possible to do something like this?
The problem is that we have a lot of clients each of which has a separate login. We need to get data from each of their accounts every day. It would be really slick if we could write something in C to do this and save all the pertinent data into a file. (like the values of the accounts and positions which I can parse from the html)
What do you guys think? Is this possible and could you help point me in the right direction with some examples, etc...?
After a cursory glance at the login page, it is possible to do this with libcurl, by posting the username/password combo to their authenticating page, and assuming they use cookies to represent a login session. The first step is to make sure that you've got the following options set:
CURLOPT_FOLLOWLOCATION - The server may redirect after authenticating, this is quite common.
CURLOPT_POST - This tells libcurl to switch into post mode.
CURLOPT_POSTFIELDS - This tells libcurl the values to set for the post fields. Set this option to "userId=<insert username>&password=<insert password>". That value is derived from the source code for that page.
CURLOPT_USERAGENT - Set a simple user-agent, so that the web server won't throw it out (some strict ones will do this).
Then, once the post is complete, the libcurl instance should contain some sort of authorisation cookie used by the site to identify a logged-in user. Curl should keep track of cookies within a given instance. There are plenty of options for Curl if you want to tweak how cookies behave.
Make sure that once you are 'logged-in' that the same libcurl instance is used for each request under that account, otherwise it will see you as logged out.
As for parsing the resulting pages go, there are tonnes of HTML parsers for c - just google. The only thing I will say is do not try to write an HTML parser yourself. It is notoriously tricky, because a lot of sites don't produce good (or even working) HTML.