The information is valuable to the attacker only if s/he has the
access to the database (read: there is a security hole in the application).
There may still be a way to get the field list from the table (eg. SHOW
CREATE TABLE for MySQL) once an attacker can execute own SQL statements on
the server, but that depends on the hole.
Don't get me as saying that adding an extra protection level would be bad.
On 10/10/07, Comida411 <[EMAIL PROTECTED]> wrote:
>
>
> I am a new bee to cake PHP and I have a concern on the way cake expses
> the data model of the application in the view.Since we have to follow
> a naming convention for cake to update the model automatically from
> the view. I see there is a risk of exposing once's data model.
>
> Example:
> I have a user table "users" with fields 1) email_address 2)
> password
>
> On my view when I use cake sysntax like below
> <?php echo $html->input('User/email_address', array('size' => '40'))?
> >
>
>
> When the page is rendered if some one does a view source he can
> clearly see the table name and the coloum name.
>
> Is it not a security risk?
>
> thank you for your response..
> Sincerely
> Comida411
>
>
> >
>
--
Sincerely yours,
Olexandr Melnyk
http://omelnyk.net/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
