I was checking tihs tutorial ...
http://book.cakephp.org/view/326/The-Cake-Blog-Tutorial
Here I see a big security flaw ... and I think this practice is used
throughout the framework.
# function add()
# {
# if (!empty($this->data))
# {
# if ($this->Post->save($this->data))
# {
# $this->flash('Your post has been saved.','/posts');
# }
# }
# }
We create HTML forms input with name like 'data[Post][field_name]' ...
and on post back we can access it using $this->data.
and that data array contains array of "Post" as in our input name.
Concern:
As value in input "field_name" directly maps to our DB field, if some
one tamper your HTML form by guessing database field name ... we have
no checks.
I want to know, is there any base solution provided by cakephp, or we
have to recheck the posted fields manually again.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
