No you cant. Submitting arbitrary data to a post form is exactly the thing you will avoid with this approach. Maybe I misused the word ID. What i meant could better be called an authenticity token (thats what rails is calling it), it has nothing (better: must not) to do with the actual ID of your data-record. But you still have to take care about XSS attacks.. See http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf for more information.
> You could still add an arbitrary field and send it to the server. if you want to avoid the user to insert arbitrary data into the DB by adding extra fields into the dom or something like that you could use cakephps whitelist feature, which limits the keys that are allowed to be stored into DB. On 21 Sep., 10:59, ret hab <[email protected]> wrote: > Thanks for the link to your blog euromark. It helped me a lot and I now see > my question as solved. > > @ohacibi: i don't think you're approach does fix the problem I described. > You could still add an arbitrary field and send it to the server. > > 2010/9/21 ohcibi <[email protected]> > > > > > THE normal approach is go generate an id and include it as hiddem > > field in your Formsache. Ic this field is Mission or has a wrong value > > you'll know that the form data came from a wrong place > > > On 20 Sep., 16:11, rethab <[email protected]> wrote: > > > hi there > > > > I have the following (simplified) scenario: A usual form to add a post > > > (from the blog tutorial). If the form is submitted, this method is > > > called inside the action: $this->Post->save($this->data); > > > I also have some validation stuff inside the post model (title, body). > > > > Now I know, anybody can submit any data to my server, e.g. a variable > > > called data[Post][id] additionally to the usual form data. What > > > happens now? The post is actually inserted with the submitted id! By > > > the way, this could override an existing post ;) > > > > So what I did is, I added a validation criteria to the post model > > > which forces the id to be empty. This causes the post not to be > > > validated and can therefore not be saved. > > > > It does work as expected, but is that the official way to prevent from > > > arbitrary primary key "injection"? I don't want to check it inside the > > > controller action. > > > > I'd appreciate if somebody could show me his/her solution to this or > > > if there's even a standard way. > > > > Regards, > > > rethab > > > Check out the new CakePHP Questions sitehttp://cakeqs.organd help others > > with their CakePHP related questions. > > > You received this message because you are subscribed to the Google Groups > > "CakePHP" group. > > To post to this group, send email to [email protected] > > To unsubscribe from this group, send email to > > [email protected]<cake-php%[email protected]om>For > > more options, visit this group at > >http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
