Well, sure - $this->User->save() will save any correct data in the
array. But the user doesn't have access to model functions, only
controller functions (actions). And in your controller action you
should always, always, always validate the data being transmitted.
This isn't cakephp-specific, it's a general rule of web development.
Always assume that every form submission is a cracker trying to do
something they shouldn't.
Just doing something like this would be sufficient:
class UsersController extends AppController {
// ...
function edit($id = null) {
if (!empty($this->data)) {
unset($this->data['User']['active']);
// carry on as normal here
}
}
// ...
}
Although logging and trapping could be useful too.
I believe the 1.2 Security Component has some way of designating form
fields as restricted, as well as ensuring only fields that were
generated with formhelper are accepted. Not 100% sure how that works
though. But to be fair, it's hardly rocket science to do it yourself.
On Oct 12, 9:28 am, Sharkoon <[EMAIL PROTECTED]> wrote:
> Well he's got a point.
>
> When I have this:
> $form->input('User.email');
> $form->input('User.password');
>
> and put via firebug <input type="text" name="data[User][active]"
> value="1">
>
> and then $this->User->save($this->data);
> It saves active as well!!!
>
> A huge security risk!!
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
