Well, first of all, you need to validate the data before saving it. http://book.cakephp.org/view/125/Data-Validation
Then, you might consider sanitizating the submited data http://book.cakephp.org/view/153/Data-Sanitization And then, you can even go ahead and allow only certain fields to be saved http://book.cakephp.org/view/75/Saving-Your-Data The code provided in the tutorial is only to get you to start coding as fast as possible, and then build off that. On May 4, 10:35 am, "AzGhanv/." <azgha...@gmail.com> wrote: > I was checking tihs tutorial > ...http://book.cakephp.org/view/326/The-Cake-Blog-Tutorial > > Here I see a big security flaw ... and I think this practice is used > throughout the framework. > > # function add() > # { > # if (!empty($this->data)) > # { > # if ($this->Post->save($this->data)) > # { > # $this->flash('Your post has been saved.','/posts'); > # } > # } > # } > > We create HTML forms input with name like 'data[Post][field_name]' ... > and on post back we can access it using $this->data. > > and that data array contains array of "Post" as in our input name. > > Concern: > As value in input "field_name" directly maps to our DB field, if some > one tamper your HTML form by guessing database field name ... we have > no checks. > > I want to know, is there any base solution provided by cakephp, or we > have to recheck the posted fields manually again. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
