Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
fatal error when trying to delete the data
  • samitrimalsamitrimal
    hi all, can u please tell me what does this error means? 
    Fatal error: Exception thrown without a stack frame in Unknown on line 0
    This error occoured when i was to delete the data from table. the code is as follows 
     \DB::delete(\Config::get('simpleauth.table_name'))->where('id','=',\Uri::segment(3));
            \Session::set_flash('notice', "User deleted sucessfully");
           \Response::redirect('login/');
  • HarroHarro
    This can happen if the error handler itself throws an error. Which version of Fuel are you using? p.s. did you know that code is very dangerous? By changing the 3rd segment of the URI, a user can delete all user records...
  • samitrimalsamitrimal
    i upgraded the fuel to 1.0 just yesterday.
    p.s. did you know that code is very dangerous? By changing the 3rd segment of the URI, a user can delete all user records...
    how should i do it to prevent it then need some idea. thank u in advance
  • HarroHarro
    Always try to deal with potentially destructive operations using a POST instead of a GET. And use CSRF to protect the form from being vulnerable from outside attacks. If not possible, make sure the security of your application is such that the link can't be accessed by an unauthorized person. Then, on the page that presents the links to the user (in this case perhaps a list of users?), set a session variable indicating you are on that page. When the user clicks on the delete link, check in your code if this session variable exists, and contains the correct value. If not, refuse the delete operation. If it does, perform the operation, and delete the session variable (or use a flash variable, that will be deleted automatically). This way, a delete will only work if the user has clicked on the link you provided. And not if someone typed it in as a URL, no matter whether or not the person doing that is authorised to delete users. You also have reduced the risk of a malicious piece of javascript requesting that link, using the rights of the user in a CSRF attack (not completely, it would still work if the user happened to be on the users list page when the attack happened).
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion