Friday, January 30, 2009

symfony 1.2 upload file

symfony 1.2 上传文件

after hacking on 'uploading file' using symfony 1.2, i come here to blog this experience.

compared with 1.1 , 1.2 uses sfForm , sfValidatorFile to process uploading. But from my view, i like the way in 1.1 much more. 1.1 is doing what human usually think it should be.... i mean reasonable ...

i havent got it working with form and the sfValidatorFile. i will spend more time on it when i am unplugged.......

i dont like the concept of "Form". It came with Struts(Java) 1 , but even if the Form in Struts is better than the one in symfony, the concept of "form" has been removed from Struts 2. ppl complain about the "FORM" and just dont like it. so Struts2 elegantly discards "form" by using spring + pojo.

how to acheive uplaoding in 1.2 using deprecated 1.1 methods?

1. in config/ProjectConfiguration.php

$this->enableAllPluginsExcept(array('sfDoctrinePlugin', 'sfCompat10Plugin'));
remove the sfCompat10Plugin from it to enable 1.1 methods.

2. copy and reuse these codes
if ($request->hasFiles()) {
foreach ($request->getFileNames() as $uploadedFile) {
$fileName = $request->getFileName($uploadedFile);
$fileSize = $request->getFileSize($uploadedFile);
$fileType = $request->getFileType($uploadedFile);
$fileError = $request->hasFileError($uploadedFile);
$uploadDir = sfConfig::get('sf_upload_dir');
$request->moveFile($uploadedFile, $uploadDir.'/temp/logo/commu/'.$fileName);
that is all. is that reasonable? :)

Wednesday, January 21, 2009

Sql injection attack , how weak is your application ....

we've been working on this new version of the big website for more than one and a half year. We all know the potential bug in out code, so we need to be careful , careful and more careful.....

Recently when i went through the code, i run into one snippet which caught my eyes:

$sql = 'UPDATE user SET password="'.$password.'" WHERE email="'.$email.'" ';
$stmt = $con->prepareStatement($sql);

this a naked sql, which just update the password for the user's email access. No wrong with it, it works fine.
But where the magic comes is when we choose a password like 6" -- " , all the user's password was changed by me.
This is so called SQL injection attack, (SQL 注入攻击) ,Let's assume we have 1 million user in our website. Now i can change all these 1 million user's password as i want. even more , i can do anything with the db operation.

the sense behind it is the '--' which would be considered as comment character in db operation. anything following '--' would be ignored, other words: anything before it would be executed....;)

so.... how to avoid it?

use this:

$sql = 'UPDATE user SET password= ? WHERE email= ? ';
$stmt = $con->prepareStatement($sql);
$stmt->setString(1, $password);
$stmt->setString(2, $email);

with this, the prepared statement and positional parameter will handle '--', and by pass this attack.

Conclusion :

never use the naked sql by yourself. use OR mapping or prepared statement with named or positional parameter instead.