This is a common web app issue. The same problem exists with form input - if you have a drop-down in your form with the values 'A', 'B' and 'C' - that doesn't actually stop a user from sending you 'D', it just makes it (very) hard for technically naive users to do so.
What you want to do is check authorization - there's a good blurb here in the CakePHP manual: http://book.cakephp.org/view/465/understanding-how-acl-works [quote]Realize that ACL is not the same as authentication. ACL is what happens after a user has been authenticated. That being said, the two are usually used in concert, but it's important to realize the difference between knowing who someone is (authentication) and knowing what they can do (ACL).[/quote] To use your example, the index() method in your MyController should start off by doing something like (psuedo-code): if $this->Auth->user() has_access_to $id then ...do stuff else Give warning, redirect somewhere safe On Jul 21, 7:22 am, [EMAIL PROTECTED] wrote: > I searched the archives of this group and never found an answer to > this question. > > Suppose I have a page that is access via the > URLhttp://www.mydomain.com/mycontroller/5 > > There is nothing to stop a user from changing the URL > tohttp://www.mydomain.com/mycontroller/6 > and viewing a different record. > > What is preferred method for securing the parameters in a URL so that > users can not change the parameter value and walk through all the > records in a table? I thought about maybe using a UUID for the > parameter or possibly hashing the parameter value. Is there a better > or preferred method for handling this type of situation? Is there > something built into version 1.2 to handle this? I have a legacy > application that was built using 1.1 and would like to start planning > to upgrade to 1.2. > > thanks in advance for any advice you can provide. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
