Login

michalsn · 11-18-2022, 03:42 AM

(11-17-2022, 05:26 PM)kenjis Wrote: I created another controller. I added the validation for id.
But it is still vulnerable.

https://github.com/kenjis/ci4-model-upda...#L101-L123

PHP Code:
public function update() { $id = $this->request->getPost('id'); // Adds validation rule for id. $rules = array_merge($this->rules, ['id' => 'required|is_natural_no_zero']); if ($this->validate($rules)) { $title = $this->request->getVar('title'); $slug = url_title($title, '-', true); $data = [ 'title' => $title, 'slug' => $slug, 'body' => $this->request->getVar('body'), ]; $this->model->update($id, $data); return $this->response->redirect(site_url('news3/' . $slug)); } return $this->edit($id); }

Ok, you got me here. How this is still a vulnerability?

kenjis Wrote:It seems no problem. It prevents unexpected all record updates.
What's your concern?

Not a big fan of the API I came up with.