Re: Howto secure a form / posted data from tampering?
Hi Larry thank you very much for your help, but i'm afraid there's just a small problem left (or is this by design?): It doesn't work if you don't define $this->Security- >blackHoleCallback. It only works (in my situation) when you define a callback and, if defined, that callback is allways invoked when posting So it now works like this: Post the form --> if (blackHoleCallback defined) --> invoke callback (error=auth) AND save model or: Post the form --> if (no blackHoleCallback defined) --> do not save model On 8 apr, 17:49, "Larry E. Masters aka PhpNut" <[EMAIL PROTECTED]> wrote: > Marcelius, > I have fixed the issues with multiple record forms in the latest svn branch > version of 1.2.x.x > > You can grab the latest nightly release with the > fixes:http://cakephp.org/downloads/index/nightly/1.2.x.x > > Everything should work properly if you are using the security component and > the form helper to create your forms. > > -- > /** > * @author Larry E. Masters > * @var string $userName > * @param string $realName > * @returns string aka PhpNut > * @access public > */ > > On Tue, Apr 8, 2008 at 7:37 AM, Marcelius <[EMAIL PROTECTED]> wrote: > > > Thanks for your anwsers! > > > @Bert: Think that method is pretty straight forward, havn't checked it > > yet but I'm sure that will work without any problems > > @grigri: Seems like it doesn't do it's job like it should in my > > situation, do I need to configure something? > > > I think it has something to do with the names of the input fields, > > they are in the format of [ModelName].[id].[FieldName] instead of > > [ModelName].[FieldName] > > If I hit the submit button without changing anything the Security > > component will fail on the form validation and that blackhole callback > > is called. > > > So could you help me with that? I've looked over in the api of the > > Security component, but I couldn't find anything related to this > > issue.. > > > On 8 apr, 15:46, grigri <[EMAIL PROTECTED]> wrote: > > > To use the FormHelper's secure method, just include the Security > > > component in your controller: it works automagically. > > > > On Apr 8, 2:40 pm, "Bert Van den Brande" <[EMAIL PROTECTED]> wrote: > > > > > In your call to $model->save() you can set the fields that can be > > > > updated. All other fields will be ignored ... > > > > > On Tue, Apr 8, 2008 at 3:37 PM, Marcel <[EMAIL PROTECTED]> wrote: > > > > > > Hello > > > > > > The problem is that a model has some fields that the user may never > > > > > edit. I don't show them in the /edit view so they don't get posted > > (by > > > > > default). But manualy adding some of those private fields will > > result > > > > > in illegal save. I've noticed the secure method in the api of the > > > > > FormHelper to generate a hidden field with some sort of hash, but > > how > > > > > do I use that? > > > > > > I did this in my /edit view: > > > > > echo $form->secure($this->data); > > > > > > Which does work, but how do I validate that in my save method? If I > > do > > > > > a post it still saves the posted (malicious) data...? > > > > > > Thanks in advance --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Howto secure a form / posted data from tampering?
Marcelius, I have fixed the issues with multiple record forms in the latest svn branch version of 1.2.x.x You can grab the latest nightly release with the fixes: http://cakephp.org/downloads/index/nightly/1.2.x.x Everything should work properly if you are using the security component and the form helper to create your forms. -- /** * @author Larry E. Masters * @var string $userName * @param string $realName * @returns string aka PhpNut * @access public */ On Tue, Apr 8, 2008 at 7:37 AM, Marcelius <[EMAIL PROTECTED]> wrote: > > Thanks for your anwsers! > > @Bert: Think that method is pretty straight forward, havn't checked it > yet but I'm sure that will work without any problems > @grigri: Seems like it doesn't do it's job like it should in my > situation, do I need to configure something? > > I think it has something to do with the names of the input fields, > they are in the format of [ModelName].[id].[FieldName] instead of > [ModelName].[FieldName] > If I hit the submit button without changing anything the Security > component will fail on the form validation and that blackhole callback > is called. > > So could you help me with that? I've looked over in the api of the > Security component, but I couldn't find anything related to this > issue.. > > On 8 apr, 15:46, grigri <[EMAIL PROTECTED]> wrote: > > To use the FormHelper's secure method, just include the Security > > component in your controller: it works automagically. > > > > On Apr 8, 2:40 pm, "Bert Van den Brande" <[EMAIL PROTECTED]> wrote: > > > > > In your call to $model->save() you can set the fields that can be > > > updated. All other fields will be ignored ... > > > > > On Tue, Apr 8, 2008 at 3:37 PM, Marcel <[EMAIL PROTECTED]> wrote: > > > > > > Hello > > > > > > The problem is that a model has some fields that the user may never > > > > edit. I don't show them in the /edit view so they don't get posted > (by > > > > default). But manualy adding some of those private fields will > result > > > > in illegal save. I've noticed the secure method in the api of the > > > > FormHelper to generate a hidden field with some sort of hash, but > how > > > > do I use that? > > > > > > I did this in my /edit view: > > > > echo $form->secure($this->data); > > > > > > Which does work, but how do I validate that in my save method? If I > do > > > > a post it still saves the posted (malicious) data...? > > > > > > Thanks in advance > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Howto secure a form / posted data from tampering?
Thanks for your anwsers! @Bert: Think that method is pretty straight forward, havn't checked it yet but I'm sure that will work without any problems @grigri: Seems like it doesn't do it's job like it should in my situation, do I need to configure something? I think it has something to do with the names of the input fields, they are in the format of [ModelName].[id].[FieldName] instead of [ModelName].[FieldName] If I hit the submit button without changing anything the Security component will fail on the form validation and that blackhole callback is called. So could you help me with that? I've looked over in the api of the Security component, but I couldn't find anything related to this issue.. On 8 apr, 15:46, grigri <[EMAIL PROTECTED]> wrote: > To use the FormHelper's secure method, just include the Security > component in your controller: it works automagically. > > On Apr 8, 2:40 pm, "Bert Van den Brande" <[EMAIL PROTECTED]> wrote: > > > In your call to $model->save() you can set the fields that can be > > updated. All other fields will be ignored ... > > > On Tue, Apr 8, 2008 at 3:37 PM, Marcel <[EMAIL PROTECTED]> wrote: > > > > Hello > > > > The problem is that a model has some fields that the user may never > > > edit. I don't show them in the /edit view so they don't get posted (by > > > default). But manualy adding some of those private fields will result > > > in illegal save. I've noticed the secure method in the api of the > > > FormHelper to generate a hidden field with some sort of hash, but how > > > do I use that? > > > > I did this in my /edit view: > > > echo $form->secure($this->data); > > > > Which does work, but how do I validate that in my save method? If I do > > > a post it still saves the posted (malicious) data...? > > > > Thanks in advance --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Howto secure a form / posted data from tampering?
To use the FormHelper's secure method, just include the Security component in your controller: it works automagically. On Apr 8, 2:40 pm, "Bert Van den Brande" <[EMAIL PROTECTED]> wrote: > In your call to $model->save() you can set the fields that can be > updated. All other fields will be ignored ... > > On Tue, Apr 8, 2008 at 3:37 PM, Marcel <[EMAIL PROTECTED]> wrote: > > > Hello > > > The problem is that a model has some fields that the user may never > > edit. I don't show them in the /edit view so they don't get posted (by > > default). But manualy adding some of those private fields will result > > in illegal save. I've noticed the secure method in the api of the > > FormHelper to generate a hidden field with some sort of hash, but how > > do I use that? > > > I did this in my /edit view: > > echo $form->secure($this->data); > > > Which does work, but how do I validate that in my save method? If I do > > a post it still saves the posted (malicious) data...? > > > Thanks in advance --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Howto secure a form / posted data from tampering?
In your call to $model->save() you can set the fields that can be updated. All other fields will be ignored ... On Tue, Apr 8, 2008 at 3:37 PM, Marcel <[EMAIL PROTECTED]> wrote: > > Hello > > The problem is that a model has some fields that the user may never > edit. I don't show them in the /edit view so they don't get posted (by > default). But manualy adding some of those private fields will result > in illegal save. I've noticed the secure method in the api of the > FormHelper to generate a hidden field with some sort of hash, but how > do I use that? > > I did this in my /edit view: > echo $form->secure($this->data); > > Which does work, but how do I validate that in my save method? If I do > a post it still saves the posted (malicious) data...? > > Thanks in advance > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Howto secure a form / posted data from tampering?
Hello The problem is that a model has some fields that the user may never edit. I don't show them in the /edit view so they don't get posted (by default). But manualy adding some of those private fields will result in illegal save. I've noticed the secure method in the api of the FormHelper to generate a hidden field with some sort of hash, but how do I use that? I did this in my /edit view: echo $form->secure($this->data); Which does work, but how do I validate that in my save method? If I do a post it still saves the posted (malicious) data...? Thanks in advance --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---