> So the save() method doesn't do much about security?
It has a field list which is a first line of defence:
http://api.cakephp.org/class/model#method-Modelsave
> I understand that it cannot detect problems you've mentioned. Does it
> at least escape data properly?
Yes.
> What are the patterns/advice for doing things correctly?
Use whitelists (fieldlist in save), validation and the security
component.
Don't trust your users :). Assume you're going to receive garbage/
manipulated data/users adding their own data etc. And try and do what
they're going to do.
This is pretty useful:
https://addons.mozilla.org/en-US/firefox/addon/7597
In addition to the obvious firebug + editing html directly.
> When looking
> at how to develop with Cake PHP I never saw any advice on how to
> validate if the hidden fields, etc weren't changed. Although I realize
> now that it is very important.
This is one of the primary functions of the security component.
One caveat: it won't detect a user 'selecting' an option in a select
that isn't a valid value (because doing so doesn't change the
structure of the form).
hth,
AD
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment