but yes, the crucial point is that the main focus should be the server
side as far as security is concerned
but besides that he proposes hacks that will not only make the code
less readable, it also opens the door for many
bugs and errors as well as bloating the model unnecessarily´.
"if you didn't input required value
(if you even specified what types of character can be used), there is
no way you'll pass submitting"
actually, you will. what if the validation is only checking if the ID
is valid. you still could use the ID of any other user on the site.
and the security component will not be able to do anything against it.
thats why all fields, that are not intended to be changed should be
excluded from being passed on to the model.
this way you can ensure that no harm can be done to them.
its easy, its short (compared to other solutions like milos), its
clean.
On 3 Apr., 10:57, Miloš Vučinić <milosvuci...@gmail.com> wrote:
> I just read smth. So one more comment :) Hope I am not borring you. If
> you are worried about primary key injection etc, you can always make
> rights to do stuff. You can have several functions for doing stuff.
> You can grab data in controller and see if somebody tried to enter a
> parameter which is not allowed for this kind of users. Like role_id
> etc, and if they are not null, you blok the save functions.
>
> Eg.
> I have user controller, and I have 2 edit functions and by that 2
> different forms. First one is for admins, and second one for users. In
> users function I check the data before calling model ($this->save($data)) and I see what is in that data. If I find smth I don't
>
> want there I would not call the save data function...
>
> I can't remember if I actually done that, but I think it is quite
> doable, because you have access to data var before calling the model..
>
> all the best :)
>
> On Apr 3, 10:51 am, Miloš Vučinić <milosvuci...@gmail.com> wrote:
>
>
>
>
>
>
>
> > And if you hate programming so many fields, just bake the add form for
> > the database table and change it the way you want.. baking takes like
> > a minute to finish .
> > :)
>
> > I am no baking everything I can :)
>
> > all the best
> > Milos
>
> > On Apr 2, 9:26 pm, "Krissy Masters" <naked.cake.ba...@gmail.com>
> > wrote:
>
> > > Right on. Was only curious since Security create a hash based on the fields
> > > I figured there must be some way to do the same thing and use it for
> > > whatever reason.
>
> > > Thanks for the info all the same.
>
> > > K
>
> > > -----Original Message-----
> > > From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf
>
> > > Of euromark
> > > Sent: Saturday, April 02, 2011 10:43 PM
> > > To: CakePHP
> > > Subject: Re: Euromark function guaranteeFields($requiredFields, $data =
> > > null) {
>
> > > it is not possible
>
> > > the controller has no direct link to the form helper
> > > especially not after a post (and therefore BEFORE the form is rendered
> > > again).
> > > controller + model are finished before the view even starts to render.
>
> > > you would need to embed the keys as a hidden field in the form itself
> > > (+ hash etc to disallow any modifications).
> > > but then you could just as well use the security component and you
> > > would be already done.
>
> > > so i dont see a point in that.
> > > i agree that it can be a pain in the but.
> > > in some rare occasions you could use blacklisting (especially if you
> > > only want to forbid 1 field of 50 allowed fields).
> > > in other occasions you would store those field names in a (long?)
> > > array in the model and simply use it in the controller
> > > $this->Model->allowedFieldsForEdit
> > > etc
>
> > > either way linking the form helper / form inputs to the model logic
> > > can probably do more harm than good.
> > > i would think about which fields are allowed and manually pass them to
> > > the set/save methods. using the model arrays to store the fields will
> > > also ensure that after an update of the schema you got all field names
> > > in a single place. less likely you will forget to add/delete fields.
>
> > > On 3 Apr., 00:51, "Krissy Masters" <naked.cake.ba...@gmail.com> wrote:
> > > > Sorry I think you missed my point.
> > > > Example:
> > > > I have a form with 50 fields. I would have to manually type out all 50 if
> > > > they have to be in the form = pain
> > > > Im interested in grabbing all the field names the form has before its
> > > > rendered. Then use that in the function before saving
>
> > > > beforeRender() / beforeFilter(){
> > > > grab all the fields your form has before rendering it
>
> > > > $form_fields = ??? somefunction to grab all your fields
>
> > > > Then use an array / !in_array / arrys_keys to keep / exclude ones that
> > > are
> > > > required to be there
>
> > > > $required_fields = array_diff( array('optional', 'fields', 'here'
> > > > ),$form_fields); //something like that so you type out a few not all type
> > > > thing
>
> > > > }
>
> > > > That's what I am wondering, if anyone knows how you could grab a list of
> > > > fields in the form.
>
> > > > Thanks,
>
> > > > K
>
> > > > -----Original Message-----
> > > > From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On
> > > Behalf
>
> > > > Of cricket
> > > > Sent: Saturday, April 02, 2011 7:45 PM
> > > > To: cake-php@googlegroups.com
> > > > Subject: Re: Euromark function guaranteeFields($requiredFields, $data =
> > > > null) {
>
> > > > On Sat, Apr 2, 2011 at 3:10 PM, Krissy Masters
> > > > <naked.cake.ba...@gmail.com> wrote:
> > > > > Reading the bit about making fields required in a form so a user can not
> > > > > firebug them out and thought is there a way to manually grab the names
> > > of
> > > > > the fields in a form being rendered in the controller?
> > > > > Form might have 50 fields and you need them all, writing out all of that
> > > > > would be trauma. (but writing the names and updating the model in the
> > > > > future, spelling....so on)
>
> > > > > Security component does something with all the names to makes it hash
> > > no?
>
> > > > > Anyone have any ideas? Here is a link to his excellent idea incase
> > > anyone
> > > > > wants to read up on it.
>
> > > > >http://www.dereuromark.de/2010/09/21/saving-model-data-and-security/
>
> > > > > secion => Protection against missing fields
>
> > > > I think it would be best to use a class var in the model.
>
> > > > $this->Model->set(
> > > > $this->data,
> > > > null,
> > > > $this->Model->required_fields
> > > > );
>
> > > > You could even have separate field lists for different actions:
>
> > > > $this->Model->set(
> > > > $this->data,
> > > > null,
> > > > $this->Model->required_fields['edit']
> > > > );
>
> > > > --
> > > > Our newest site for the community: CakePHP Video
> > > Tutorialshttp://tv.cakephp.org
> > > > Check out the new CakePHP Questions sitehttp://ask.cakephp.organdhelp
> > > > others with their CakePHP related questions.
>
> > > > To unsubscribe from this group, send email to
> > > > cake-php+unsubscribe@googlegroups.com For more options, visit this group
> > > athttp://groups.google.com/group/cake-php
>
> > > --
> > > Our newest site for the community: CakePHP Video Tutorialshttp://tv.cakephp.org
> > > Check out the new CakePHP Questions sitehttp://ask.cakephp.organdhelp
> > > others with their CakePHP related questions.
>
> > > To unsubscribe from this group, send email to
> > > cake-php+unsubscribe@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php
--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
No comments:
Post a Comment