you shouldnt use the cake default templates they are in no way prepared for the real world
modify them in order to protect your data in your case you retrieve the data first in the edit action and right before save() you check the passed id against the real one from the record if they dont match, blackhole the request. i wrote some custom templates years ago http://www.dereuromark.de/2010/06/22/cake-bake-custom-templates/ check out the edit action your injection is not coverted by it yet, though - that would still have to be done hope that helps On 20 Sep., 16:11, rethab <[email protected]> wrote: > hi there > > I have the following (simplified) scenario: A usual form to add a post > (from the blog tutorial). If the form is submitted, this method is > called inside the action: $this->Post->save($this->data); > I also have some validation stuff inside the post model (title, body). > > Now I know, anybody can submit any data to my server, e.g. a variable > called data[Post][id] additionally to the usual form data. What > happens now? The post is actually inserted with the submitted id! By > the way, this could override an existing post ;) > > So what I did is, I added a validation criteria to the post model > which forces the id to be empty. This causes the post not to be > validated and can therefore not be saved. > > It does work as expected, but is that the official way to prevent from > arbitrary primary key "injection"? I don't want to check it inside the > controller action. > > I'd appreciate if somebody could show me his/her solution to this or > if there's even a standard way. > > Regards, > rethab Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
