I think my wording in confusing people. Basically I have 1 form with checkboxes created from a find() The form displays the checkboxes which all have a value. I do not want people who know how using firebug or other methods to change the values in the code and then submit the form with the altered data...
And I also want to list the database fields in the controller where when user submits the form allow only those fields to have data saved/updated(thatswhere the white/black list comes into play). I have no ID fields anywhere on the site but just from my limited exposure to Cake it would not be hard to guess that anyone with Cake experience can view the source code, see that it’s a cake application and add a field in the form [User][id] or [User][group_id] something just to see what happens and submit the form. So limiting the fields that are used in the save() is where I am at now. Thanks everyone Dave -----Original Message----- From: John Andersen [mailto:[email protected]] Sent: April-30-09 2:40 AM To: CakePHP Subject: Re: $blacklist / $whitelist HABTM One way is to just don't allow id fields to arrive from outside, when submitting a form! This also applies when working with multiple records in an update form. So that means you have to know when you are expecting an update and when a new record! Enjoy, John On Apr 30, 3:59 am, "Dave Maharaj :: WidePixels.com" <[email protected]> wrote: > Just reading up on $blacklist and $whitelist fields when saving.http://teknoid.wordpress.com/2009/03/11/blacklist-your-model-fields-f ... > / > > My question using an example where > USER HABTM ORGANIZATIONS > USER HABTM SKILLS > USER HABTM so on.... > > I build a form where the User can update their SKILLS (only skills, no > other > info) > the only fields being updated are id, user_id and skill_id in the > users_skills table > > how do you blacklist or whitelist a field that is used in all the > tables such as id? Because the users_skills 'id' obviously need to > allow but not the Users 'id' > > $this->User->save($this->data); > > i only ask because in my save() i see the SQL queries and see all the > info pertaining to the User when a change is made > > So if someone made a new field with FireBug name=data[User][password] > or name=data[User][id] could they not submit the form and update the > values in the table? > > Dave --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
