Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "Mass Assignment"
From NetSec
Rochell4259 (Talk | contribs) |
|||
(3 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
+ | {{Warning|This type of code is responsible for many [[vulnerability|vulnerabilities]]. Do not use this code in your [[application]]s ever.}} | ||
+ | |||
+ | == [[Ruby]] == | ||
Typically used in [[Ruby on Rails]], sometimes people will use the following code to create an ActiveRecord object to add a [[database]] entry: | Typically used in [[Ruby on Rails]], sometimes people will use the following code to create an ActiveRecord object to add a [[database]] entry: | ||
− | <syntaxhighlight lang=ruby> | + | {{code|text=<syntaxhighlight lang=ruby> |
@user=User.new(params[:user]) | @user=User.new(params[:user]) | ||
− | </syntaxhighlight> | + | </syntaxhighlight>}} |
There have been [[RoR_Patching#Params_Injection_.26_Mass_Assignment_Abuse|problems]] with RoR in the past with [[RoR_Patching#Params_Injection_.26_Mass_Assignment_Abuse|mass assignment]]. | There have been [[RoR_Patching#Params_Injection_.26_Mass_Assignment_Abuse|problems]] with RoR in the past with [[RoR_Patching#Params_Injection_.26_Mass_Assignment_Abuse|mass assignment]]. | ||
+ | == [[PHP]] == | ||
+ | |||
+ | |||
+ | {{code|text=<source lang="php"> | ||
+ | <?php | ||
+ | $object = new object(); | ||
+ | foreach ($_REQUEST as $property => $value) { | ||
+ | $object->$property = $value; | ||
+ | } | ||
+ | ?> | ||
+ | </source>}} | ||
+ | |||
+ | == [[Python]] == | ||
+ | |||
+ | |||
+ | {{code|text=<source lang="python"> | ||
+ | object = Object().locals().update(dict) | ||
+ | </source>}} | ||
+ | |||
+ | {{programming}} | ||
{{expand}} | {{expand}} |
Latest revision as of 05:13, 22 October 2012
This type of code is responsible for many vulnerabilities. Do not use this code in your applications ever. |
Ruby
Typically used in Ruby on Rails, sometimes people will use the following code to create an ActiveRecord object to add a database entry:
<syntaxhighlight lang=ruby> @user=User.new(params[:user]) </syntaxhighlight> |
There have been problems with RoR in the past with mass assignment.
PHP
<?php $object = new object(); foreach ($_REQUEST as $property => $value) { $object->$property = $value; } ?> |
Python
object = Object().locals().update(dict) |
Mass Assignment is part of a series on programming.
This article contains too little information, it should be expanded or updated. |
---|
Things you can do to help:
|