On Apr 25, 2:05 pm, Linas <[email protected]> wrote: > So the save() method doesn't do much about security? > I understand that it cannot detect problems you've mentioned. Does it > at least escape data properly? > What are the patterns/advice for doing things correctly? When looking > at how to develop with Cake PHP I never saw any advice on how to > validate if the hidden fields, etc weren't changed. Although I realize > now that it is very important.
If you're not using the Security component, then using hidden fields to store valuable data can lead to trouble since anyone can then change that value and the server would never know about it. The other option of course is to not use hidden fields and get the same data that would have been stored in these fields either from the user session perhaps or by doing a find or other query. It may also be wise to use the Sanitize class (http://book.cakephp.org/ view/153/Data-Sanitization) to clean the data before inserting it into your database (to strip out or escape HTML, etc. that may have been submitted). Also, one last thing is that $this->Model->save() has a 'fieldList' parameter (or array index depending on your usage of save) that allows you to specify only the fields in $this->data that should be saved. This will prevent other data that has been injected into the HTML form on the client-side from making its way into your database when the form is submitted to the server. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
