In a non-REST application you would only get to an edit form after clicking a system generated edit link for an existing post and as such the id hidden field value would be correct.
If for some strange reason the ID did not exist when retrieving the data to populate the form then you would deal with this before the form is submitted, not during the save call. Should a malicious user use FireBug or some other method to inject a new value into a valid form, then the form's security token would be invalid and the request would be black holed. HTH, Paul. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
