i installed a plugin on my firefox browser which is called "SQL Inject Me" and then I tried it against my Cakephp website. I see that it was able to inject few blank accounts (some with password) and some without password. The database is not allowed to accept null values for username, emails etc also I'm not sure how is it able to bypass cakephp validation.
my cakephp validation for username field
'username' => array(
'username must not be empty' => array(
'rule' => 'notEmpty',
'message' => 'username field cannot be empty'
),
'username must be unique' => array(
'rule' => 'isUnique',
'message' => 'username is already taken'
)
'username must not contain special character' => array(
'rule' => 'usernameValidation',
'message' => 'username can only contain numbers, characters, underscores, dashes and Periods. Underscore, dash and Period are only allowed in the middle.'
)
)
Validations were failing because if you remove fields from a form using developers tools like firebug then cakephp validations will not work for those removed fields.
what i did to fix these issues is to use this code right before passing data to save method.
if(!(isset($this->request->data['User']['email']))){
$this->request->data['User']['email']='';
}
if(!(isset($this->request->data['User']['username']))){
$this->request->data['User']['username']='';
}
if(!(isset($this->request->data['User']['password']))){
$this->request->data['User']['password']='';
}
if(!(isset($this->request->data['User']['confirm_password']))){
$this->request->data['User']['confirm_password']='';
}
If there is a missing field then this code will add that field and assign an empty string to it. Then those fields will be eligible for validation and will eventually fail validation.
I think your validations has wrong keys. That should be like this..
var $validate = array(
'username' => array(
'notEmpty' => array(
'rule' => 'notEmpty',
'message' => 'username field cannot be empty'
),
'isUnique' => array(
'rule' => 'isUnique',
'message' => 'username is already taken'
)
'usernameValidation' => array(
'rule' => 'usernameValidation',
'message' => 'username can only contain numbers, characters, underscores, dashes and Periods. Underscore, dash and Period are only allowed in the middle.'
)
)
)
and while saving them you just have to call validate function to go through the validation rules. Below link can help you to how to validate from controller while saving the data.
http://book.cakephp.org/2.0/en/models/data-validation/validating-data-from-the-controller.html
Thanks..!
Add the keys 'required' => true, 'allowEmpty' => false to your validation arrays.