This is not arguable: never rely just on client validation.
On Friday, August 16, 2013 3:15:36 PM UTC+2, Jeremy Burns wrote:
-- Let me say it again: never EVER rely on client validation, or trust data sent from client. POST data can be easily manipulated at client level. Javascript should be used always as a enhancement.
Also, be very conscious of what you are doing when using $this->Model->save($this->request->data).
For example, lets say you have a site with a user registration form. in your view you would have:
echo $this->Form->create('User');
echo $this->Form->input('name');
echo $this->Form->input('email');
echo $this->Form->end('Submit');
In the controller you would be tempted to just have:
$this->User->save($this->request->data);
Please be careful with this. If users table has other fields like 'is_admin', 'has_paid', 'role', etc... this could be a HUGE security issue! A malicious user could manipulate the POST data before sending it to add data[User][admin]=1 or data[User][role]=admin
You should use:
$this->User->create();
$this->User->set('name', $this->request->data['User']['name']);
$this->User->set('email', $this->request->data['User']['email']);
$this->User->save();
Or better (and cleaner):
$this->User->save($this->request->data, true, array('name','email'));
On Friday, August 16, 2013 3:15:36 PM UTC+2, Jeremy Burns wrote:
I still view jQuery as progressive enhancement. Even if it is mostly on it can still be turned off, which would - if you relied only on client side code - skip your validation. You also never know how your site will be accessed; what if (remote, I know) you wanted to open it up as a web service or API? Then you'd need to load up your validation anyone. Just my 2c.Class Outfit
Jeremy Burns
http://www.classoutfit.comOn 16 Aug 2013, at 12:32:29, jer...@anthemwebsolutions.com wrote:I wanted to get some opinions on this. Cake's validation structure is easy to apply and works flawlessly (so far, wink,wink). But I've also written some data validation with jQuery which is activated at the client side.
Is there still a need to validate at the server if most browsers support javascript? Do some of you leave off the server side validation in lieu of client side? How's that HTML5 data validation working for you?--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+u...@googlegroups.com .
To post to this group, send email to cake...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php .
For more options, visit https://groups.google.com/groups/opt_out .
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment