I was checking tihs tutorial ... http://book.cakephp.org/view/326/The-Cake-Blog-Tutorial
Here I see a big security flaw ... and I think this practice is used throughout the framework. # function add() # { # if (!empty($this->data)) # { # if ($this->Post->save($this->data)) # { # $this->flash('Your post has been saved.','/posts'); # } # } # } We create HTML forms input with name like 'data[Post][field_name]' ... and on post back we can access it using $this->data. and that data array contains array of "Post" as in our input name. Concern: As value in input "field_name" directly maps to our DB field, if some one tamper your HTML form by guessing database field name ... we have no checks. I want to know, is there any base solution provided by cakephp, or we have to recheck the posted fields manually again. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---