THE normal approach is go generate an id and include it as hiddem
field in your Formsache. Ic this field is Mission or has a wrong value
you'll know that the form data came from a wrong place
On 20 Sep., 16:11, rethab rethab...@gmail.com wrote:
hi there
I have the following (simplified)
Thanks for the link to your blog euromark. It helped me a lot and I now see
my question as solved.
@ohacibi: i don't think you're approach does fix the problem I described.
You could still add an arbitrary field and send it to the server.
2010/9/21 ohcibi i...@dwgadf.de
THE normal approach is
No you cant. Submitting arbitrary data to a post form is exactly the
thing you will avoid with this approach. Maybe I misused the word ID.
What i meant could better be called an authenticity token (thats what
rails is calling it), it has nothing (better: must not) to do with
the actual ID of your
yes, but whitelisting is for too many fields passed
in this case it does not help
rethab is talking about switching the primary key (id) from a valid
one to an invalid one
this is not checked anywhere and can give somebody control over
foreign records - for example
xss is view security and not
hi there
I have the following (simplified) scenario: A usual form to add a post
(from the blog tutorial). If the form is submitted, this method is
called inside the action: $this-Post-save($this-data);
I also have some validation stuff inside the post model (title, body).
Now I know, anybody can
you shouldnt use the cake default templates
they are in no way prepared for the real world
modify them in order to protect your data
in your case you retrieve the data first in the edit action
and right before save() you check the passed id against the real one
from the record
if they dont match,