I see several comments about using the security component to ensure that the imputed data is submitted though "post" rather then submitted in a query string. This is fine but nothing prevents the user from creating a local HTML file and adding form elements to it. I gave this a try and sure enough I was able to add extra data that my Model->save would then add to the DB. I was then able to effectively block this by adding the allowed fields to $fieldList in the Model->save. Is this the only way to prevent this type of injection? Should I add a fieldList to all saves in my application that accept user input? Do I ever have to worry about a Model1->save() saving data in the Model2 table?
--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~----------~----~----~----~------~----~------~--~---
