On Jan 19, 11:29 pm, Delirium tremens <pedbe...@gmail.com> wrote:
> http://localhost/CakePHP/cakeBlog/posts/delete/1
>
> 1 can be anything
>
> What if a cracker visitshttp://localhost/CakePHP/cakeBlog/posts/delete/'all'
if you accessed that url and deleted all of your posts - you've done
something wrong it would generate .. where id = "all" - which would do
nothing.
If you mean more generally how to secure your actions - that's auth +
not doing anything via GET requests (i.e. protecting yourself from
CSRF). Simply by using the security component and requirePost for
delete can achieve that, it would mean unless your code generated the
form to the delete action it wouldn't do anything.
hth,
AD
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
