When getting a form from a user, it should be double checked in the user's action logic. A user could easily manipulate a form field to submit a new field to the server, like id="4294967294", and stuck the users table. The user could guess, of course, other field names, or see other forms/views and get the field names from there. It has unlimited possibilities, like change the field "created" "modified" "lastvisit" "user.id" and a lot more. I tested it out on a company's blogging system, and I could easily modify the "created" field to 2007.
Throughout the examples in the manual (1.2 and 1.1), I haven't noticed any reminder of that possible risk, though I noticed the bad programming habits shown in the blog example and old 1.1 manual. function add() { if (!empty($this->data)) { if ($this->Post->save($this->data)) { $this->flash('Your post has been saved.','/posts'); } } } Is there a function that I'm unaware of, that locks the fields from the form? Like: Controller->ExpectFields = array('Post.name', 'Post.title'); I checked the bakery's code, and found out that after adding a comment [the add form is secured], you could edit the comment to belong to another user by sending Comment.user_id from a form. I assume getting them isn't too hard, for it's probably found in the generated HTML code of the profiles. Any thoughts about it? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---