When getting a form from a user, it should be double checked in the
user's action logic.
A user could easily manipulate a form field to submit a new field to
the server, like id="4294967294", and stuck the users table. The user
could guess, of course, other field names, or see other forms/views
and get the field names from there.
It has unlimited possibilities, like change the field "created"
"modified" "lastvisit" "user.id" and a lot more.
I tested it out on a company's blogging system, and I could easily
modify the "created" field to 2007.
Throughout the examples in the manual (1.2 and 1.1), I haven't noticed
any reminder of that possible risk, though I noticed the bad
programming habits shown in the blog example and old 1.1 manual.
function add() {
if (!empty($this->data)) {
if ($this->Post->save($this->data)) {
$this->flash('Your post has been saved.','/posts');
}
}
}
Is there a function that I'm unaware of, that locks the fields from
the form?
Like: Controller->ExpectFields = array('Post.name', 'Post.title');
I checked the bakery's code, and found out that after adding a comment
[the add form is secured], you could edit the comment to belong to
another user by sending Comment.user_id from a form. I assume getting
them isn't too hard, for it's probably found in the generated HTML
code of the profiles.
Any thoughts about it?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
