Hmm... well usually what you'd want to do is put the secret value into
a session variable,
$this->Session->write('secretvalue', 'whateverthesecretvalueis');
Once the person has posted the value from the hidden input tag, you
can then check it against the secret value to make sure that they're
the same.
if($this->Session->check('secretvalue') {
if ($this->Session->read('secretvalue') == $this->data['Model']
['secretvalue']) {
// everything's a ok....
}else{
// bad hacker... bad!
}
}else{
// session value not set, do a redirect
}
You can also look at the Security component in the CakePHP manual for
more security helpers, like requirePost to require a POST rather than
a GET request.
I also recommend that you buy 'Esential PHP Security' by Chris
Shiflett, http://www.oreilly.com/catalog/phpsec/.
Hope this helps : ).
On Jul 30, 2:42 pm, morecakepls <[EMAIL PROTECTED]> wrote:
> Hi
>
> What if my table is named User and there are three fields called
> Username, Password, Secretvalue. I present the user a form to change
> the username and password and use the $this->User->save($this->data)
> function in the controller to save the form data to the database.
>
> I managed to use firefox to create another input element for the
> Secretvalue and changed the Secretvalue in the User table. Is this not
> a serious security issue? How can I avoid this? Should I validate
> before saving data to the database?
>
> Thanks
> morecakepls
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
