Re: Is this not a security issue?
Oh, hehe I get it now. Sorry, I was assuming you were trying to add a value that you actually did want to add/change in your database. Larry's right (as usual), you can limit the fields can get changed by the third param in $this->Model->save(). On Jul 30, 3:24 pm, morecakepls <[EMAIL PROTECTED]> wrote: > Thanks, that answered my question! Perfect > > On Jul 30, 10:48 pm, "Larry E. Masters aka PhpNut" <[EMAIL PROTECTED]> > wrote: > > > No it is not... > > >http://api.cakephp.org/class_model.html#ebe42ae387be89985b5a35dd428f5c81 > > > The third param in the save method is what you are looking for in 1.1 same > > goes for 1.2 but version 1.2 also has the security class that does a little > > more magic. > > > -- > > /** > > * @author Larry E. Masters > > * @var string $userName > > * @param string $realName > > * @returns string aka PhpNut > > * @access public > > */ > > > On 7/30/07, morecakepls <[EMAIL PROTECTED]> wrote: > > > > Hi > > > > What if my table is named User and there are three fields called > > > Username, Password, Secretvalue. I present the user a form to change > > > the username and password and use the $this->User->save($this->data) > > > function in the controller to save the form data to the database. > > > > I managed to use firefox to create another input element for the > > > Secretvalue and changed the Secretvalue in the User table. Is this not > > > a serious security issue? How can I avoid this? Should I validate > > > before saving data to the database? > > > > Thanks > > > morecakepls --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Is this not a security issue?
Thanks, that answered my question! Perfect On Jul 30, 10:48 pm, "Larry E. Masters aka PhpNut" <[EMAIL PROTECTED]> wrote: > No it is not... > > http://api.cakephp.org/class_model.html#ebe42ae387be89985b5a35dd428f5c81 > > The third param in the save method is what you are looking for in 1.1 same > goes for 1.2 but version 1.2 also has the security class that does a little > more magic. > > -- > /** > * @author Larry E. Masters > * @var string $userName > * @param string $realName > * @returns string aka PhpNut > * @access public > */ > > On 7/30/07, morecakepls <[EMAIL PROTECTED]> wrote: > > > > > Hi > > > What if my table is named User and there are three fields called > > Username, Password, Secretvalue. I present the user a form to change > > the username and password and use the $this->User->save($this->data) > > function in the controller to save the form data to the database. > > > I managed to use firefox to create another input element for the > > Secretvalue and changed the Secretvalue in the User table. Is this not > > a serious security issue? How can I avoid this? Should I validate > > before saving data to the database? > > > Thanks > > morecakepls --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Is this not a security issue?
Hmm... well usually what you'd want to do is put the secret value into
a session variable,
$this->Session->write('secretvalue', 'whateverthesecretvalueis');
Once the person has posted the value from the hidden input tag, you
can then check it against the secret value to make sure that they're
the same.
if($this->Session->check('secretvalue') {
if ($this->Session->read('secretvalue') == $this->data['Model']
['secretvalue']) {
// everything's a ok
}else{
// bad hacker... bad!
}
}else{
// session value not set, do a redirect
}
You can also look at the Security component in the CakePHP manual for
more security helpers, like requirePost to require a POST rather than
a GET request.
I also recommend that you buy 'Esential PHP Security' by Chris
Shiflett, http://www.oreilly.com/catalog/phpsec/.
Hope this helps : ).
On Jul 30, 2:42 pm, morecakepls <[EMAIL PROTECTED]> wrote:
> Hi
>
> What if my table is named User and there are three fields called
> Username, Password, Secretvalue. I present the user a form to change
> the username and password and use the $this->User->save($this->data)
> function in the controller to save the form data to the database.
>
> I managed to use firefox to create another input element for the
> Secretvalue and changed the Secretvalue in the User table. Is this not
> a serious security issue? How can I avoid this? Should I validate
> before saving data to the database?
>
> Thanks
> morecakepls
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Is this not a security issue?
No it is not... http://api.cakephp.org/class_model.html#ebe42ae387be89985b5a35dd428f5c81 The third param in the save method is what you are looking for in 1.1 same goes for 1.2 but version 1.2 also has the security class that does a little more magic. -- /** * @author Larry E. Masters * @var string $userName * @param string $realName * @returns string aka PhpNut * @access public */ On 7/30/07, morecakepls <[EMAIL PROTECTED]> wrote: > > > Hi > > What if my table is named User and there are three fields called > Username, Password, Secretvalue. I present the user a form to change > the username and password and use the $this->User->save($this->data) > function in the controller to save the form data to the database. > > I managed to use firefox to create another input element for the > Secretvalue and changed the Secretvalue in the User table. Is this not > a serious security issue? How can I avoid this? Should I validate > before saving data to the database? > > Thanks > morecakepls > > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Is this not a security issue?
Hi What if my table is named User and there are three fields called Username, Password, Secretvalue. I present the user a form to change the username and password and use the $this->User->save($this->data) function in the controller to save the form data to the database. I managed to use firefox to create another input element for the Secretvalue and changed the Secretvalue in the User table. Is this not a serious security issue? How can I avoid this? Should I validate before saving data to the database? Thanks morecakepls --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
