Agreed but even still, $whitelist = array() of fields so you ensure that these field are set. So if someone edits the form you ensure that these are required no matter what.
There is an extention you can add to the model to ensure fields are set, if nor it will not save anything.
/************************************************************
* GLOBAL SET FUNCTION EDIT
* ***********************************************************
*
* extends the core set function (only using data!!!)
*
*
************************************************************/
public function set($data, $data2 = null, $requiredFields = array()) {
if (!empty($requiredFields)) {
$data = $this->guaranteeFields($requiredFields, $data);
}
return parent::set($data, $data2);
}
/************************************************************
* GUARANTEED FIELDS ARE IN THE FORM
* ***********************************************************
*
* make sure required fields exists - in order to properly validate them
* and not removed with firebug
* @param array: field1, field2 - or field1, Model2.field1 etc
* @param array: data (optional, otherwise the array with the required fields will be returned)
* @return array
************************************************************/
public function guaranteeFields($requiredFields, $data = null) {
$guaranteedFields = array();
foreach ($requiredFields as $column) {
if (strpos($column, '.') !== false) {
list($model, $column) = explode('.', $column, 2);
} else {
$model = $this->alias;
}
$guaranteedFields[$model][$column] = ''; # now field exists in any case!
}
if ($data === null) {
return $guaranteedFields;
}
if (!empty($guaranteedFields)) {
$data = Set::merge($guaranteedFields, $data);
}
return $data;
}
Dave Maharaj
Freelance Designer | Developer
www.movepixels.com | dave@movepixels.com | 709.800.0852
From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf Of Dav Mat
Sent: Friday, August 16, 2013 1:03 PM
To: cake-php@googlegroups.com
Subject: Re: Data validation: Client or Server?
This is not arguable: never rely just on client validation.
Let me say it again: never EVER rely on client validation, or trust data sent from client. POST data can be easily manipulated at client level. Javascript should be used always as a enhancement.
Also, be very conscious of what you are doing when using $this->Model->save($this->request->data).
For example, lets say you have a site with a user registration form. in your view you would have:
echo $this->Form->create('User');
echo $this->Form->input('name');
echo $this->Form->input('email');
echo $this->Form->end('Submit');
In the controller you would be tempted to just have:
$this->User->save($this->request->data);
Please be careful with this. If users table has other fields like 'is_admin', 'has_paid', 'role', etc... this could be a HUGE security issue! A malicious user could manipulate the POST data before sending it to add data[User][admin]=1 or data[User][role]=admin
You should use:
$this->User->create();
$this->User->set('name', $this->request->data['User']['name']);
$this->User->set('email', $this->request->data['User']['email']);
$this->User->save();
Or better (and cleaner):
$this->User->save($this->request->data, true, array('name','email'));
On Friday, August 16, 2013 3:15:36 PM UTC+2, Jeremy Burns wrote:
I still view jQuery as progressive enhancement. Even if it is mostly on it can still be turned off, which would - if you relied only on client side code - skip your validation. You also never know how your site will be accessed; what if (remote, I know) you wanted to open it up as a web service or API? Then you'd need to load up your validation anyone. Just my 2c.
Jeremy Burns
Class Outfit
http://www.classoutfit.com
On 16 Aug 2013, at 12:32:29, jer...@anthemwebsolutions.com wrote:
I wanted to get some opinions on this. Cake's validation structure is easy to apply and works flawlessly (so far, wink,wink). But I've also written some data validation with jQuery which is activated at the client side.
Is there still a need to validate at the server if most browsers support javascript? Do some of you leave off the server side validation in lieu of client side? How's that HTML5 data validation working for you?
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+u...@googlegroups.com.
To post to this group, send email to cake...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/groups/opt_out.
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment