Yes, I would say most people use the controller/action/params type urls. Most people's thoughts about passing the action through a POST instead of a GET to make it more secure are moot. You can fake (and modify variables) in a POST request just as easy as you can with GET.
Your post indicates that you are aware of verifying user permissions before you do any modifications to the database, so I won't go into that. Typically, a GET request should never modify anything on the server. The default baked controllers in cake still use a GET for the delete action for simplicity, but really they should be POST in a secure application. You are left to implement this yourself (with the help of the RequestHandler/Security components). Cheers, Adam On Jan 13, 9:27 am, SethA <[email protected]> wrote: > I'm new to all this. It all started with a desire on my part to start > building some PHP based apps on my own time. I'm not a programmer by > trade, so try to be understanding with me :). After months of [part > time] googling, I've become familiar (somewhat) with MVC, why it is > important, frameworks, why I should use one, etc. (problem with > googling is that in a fluid landscape, often times it is hard to > discern obsolete info/articles from contemporary and current best > practices) Haven't started anything yet due to my perfectionism > wanting to "do it right" the first time. I've finally gotten myself to > the point of taking that leap, and I think I am ready. Not wanting to > write spaghetti PHP just to have to redo later in a better way it once > I get my feet wet.... Up till now, I've just been finding my way by > stumbling across this blog, that article, yada yada. This is my first > time posting anywhere to ask specific questions that are troubling me. > > I've been trying to find a good framework, what do most people use > these days, yada, yada. Yeah, I know probably a stupid question. I > have looked at Phrame (I know...) because some [old] articles I read > during my research used it as an example for MVC based apps. I was > tempted to build my first app with it, but decided that due to its > apparent lack of maintenance and aging state (uses PHP4), I should > find out what else is out there. Stumbled across CakePHP, and this > seems like a good place to begin (at least). I haven't completely > settled on this as my choice to dive in and am hoping the answer I get > can help me fully decide. > > Soooo, anywho... here goes. What is bothering me as I have begun > looking through the docs and the example blog app is this: I see that > the basic mechanism for the web app to trigger various actions and so > forth is to use URLs of this form "site.com/controller/action/param1/ > param2". I fully accept that I may be the idiot of the year for asking > whether I am wrong in thinking that this is a basic security problem? > I personally don't want to expose this to an end user. I guess I am > thinking that anyone could attempt to type a desired action into the > address bar whether or not the application should allow them to take > that action. For example, /posts/delete/52. Obviously you could/should > build the logic into the controller to check the rights for the user > to take an action, in this case maybe delete a particular blog post, > only if the user has rights to do so. That goes without saying, and I > consider a must anyway. > > But I would still prefer to not even expose the application controller > logic at all to the end user if that is possible. I would assume that > CakePHP can just as easily use POST variables to contain the action > and params and then a redirect to avoid the "browser refresh" issue > that POST tends to create. Is this assumption correct? Am I crazy for > even worrying about this? I'm curious if most people just follow the > generic CakePHP convention for URLs (controller/action/params), or if > there is something that is a better practice to implement. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
