Hmm... well usually what you'd want to do is put the secret value into a session variable,
$this->Session->write('secretvalue', 'whateverthesecretvalueis'); Once the person has posted the value from the hidden input tag, you can then check it against the secret value to make sure that they're the same. if($this->Session->check('secretvalue') { if ($this->Session->read('secretvalue') == $this->data['Model'] ['secretvalue']) { // everything's a ok.... }else{ // bad hacker... bad! } }else{ // session value not set, do a redirect } You can also look at the Security component in the CakePHP manual for more security helpers, like requirePost to require a POST rather than a GET request. I also recommend that you buy 'Esential PHP Security' by Chris Shiflett, http://www.oreilly.com/catalog/phpsec/. Hope this helps : ). On Jul 30, 2:42 pm, morecakepls <[EMAIL PROTECTED]> wrote: > Hi > > What if my table is named User and there are three fields called > Username, Password, Secretvalue. I present the user a form to change > the username and password and use the $this->User->save($this->data) > function in the controller to save the form data to the database. > > I managed to use firefox to create another input element for the > Secretvalue and changed the Secretvalue in the User table. Is this not > a serious security issue? How can I avoid this? Should I validate > before saving data to the database? > > Thanks > morecakepls --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---