> So the save() method doesn't do much about security?
> I understand that it cannot detect problems you've mentioned. Does it
> at least escape data properly?
> What are the patterns/advice for doing things correctly? When looking
> at how to develop with Cake PHP I never saw any advice on how to
> validate if the hidden fields, etc weren't changed. Although I realize
> now that it is very important.
If you're not using the Security component, then using hidden fields
to store valuable data can lead to trouble since anyone can then
change that value and the server would never know about it. The other
option of course is to not use hidden fields and get the same data
that would have been stored in these fields either from the user
session perhaps or by doing a find or other query.
It may also be wise to use the Sanitize class (http://book.cakephp.org/
view/153/Data-Sanitization) to clean the data before inserting it into
your database (to strip out or escape HTML, etc. that may have been
submitted).
Also, one last thing is that $this->Model->save() has a 'fieldList'
parameter (or array index depending on your usage of save) that allows
you to specify only the fields in $this->data that should be saved.
This will prevent other data that has been injected into the HTML form
on the client-side from making its way into your database when the
form is submitted to the server.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment