It would be nice idea if this is pointed out in big red letters in the blog tutorial and manual ;) As i think allot of users will be overlooking on this.
On Oct 12, 2:58 pm, djiize <[EMAIL PROTECTED]> wrote: > One best practice, specify which fields are to be > saved:http://api.cakephp.org/1.2/class_model.html#ebe42ae387be89985b5a35dd4... > The third argument of the Model->save() is an array "List of fields to > allow to be written" > and in your CREATE TABLE, add "DEFAULT 0" to "active" field. > > On 12 oct, 14:39, grigri <[EMAIL PROTECTED]> wrote: > > > Well, sure - $this->User->save() will save any correct data in the > > array. But the user doesn't have access to model functions, only > > controller functions (actions). And in your controller action you > > should always, always, always validate the data being transmitted. > > This isn't cakephp-specific, it's a general rule of web development. > > Always assume that every form submission is a cracker trying to do > > something they shouldn't. > > > Just doing something like this would be sufficient: > > > class UsersController extends AppController { > > // ... > > function edit($id = null) { > > if (!empty($this->data)) { > > unset($this->data['User']['active']); > > // carry on as normal here > > } > > } > > // ... > > > } > > > Although logging and trapping could be useful too. > > > I believe the 1.2 Security Component has some way of designating form > > fields as restricted, as well as ensuring only fields that were > > generated with formhelper are accepted. Not 100% sure how that works > > though. But to be fair, it's hardly rocket science to do it yourself. > > > On Oct 12, 9:28 am, Sharkoon <[EMAIL PROTECTED]> wrote: > > > > Well he's got a point. > > > > When I have this: > > > $form->input('User.email'); > > > $form->input('User.password'); > > > > and put via firebug <input type="text" name="data[User][active]" > > > value="1"> > > > > and then $this->User->save($this->data); > > > It saves active as well!!! > > > > A huge security risk!! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
