If you are using sessions and someone logs in, then you can compare the id's. So if user id in session is not equal to request id in link, then do not allow this action.
The other thing i would suggest is not to use any id's in urls anyway. Use for example unique tokens (with functions like http://de2.php.net/manual/en/function.uniqid.php). I created a propel behaviour which does (creates) it whenever i save an object (and it is new). I use those tokens in urls for critical objects instead of plain id's. Hope this gives you an idea. Michael On 11 Apr., 09:47, dziobacz <[email protected]> wrote: > But I would like to make that users can add links so in settings.yml I > have made escaping_strategy: false. > User with id=1 adds comment: > <IMG src="/profil/users/notaccept/22"> > User with id=5 goes to page with <IMG src="/profil/users/notaccept/ > 22"> and it deletes from database his friend with id=22 :( > My application isn't safe :( !! What can I do ? :(((( > > On 11 Kwi, 08:38, "[email protected]" > > > > <[email protected]> wrote: > > I think you misunderstood the concept behind it. > > CSRFProtection is used in forms, not in simple links. > > > Michael > > > On 10 Apr., 15:40, dziobacz <[email protected]> wrote: > > > > I have read about csrf protection but I still don't understand > > > everything. > > > > I have in settings.yml: > > > csrf_secret: secret12 > > > > I have something like that in template: > > > User A adds user B to fiends. User B can accept it - then I have link: > > > <a href="/profile/users/accept/<?php echo $z->getId() ?>" >accept</a> > > > or not accept it - then link: > > > <a href="/profile/users/notaccept/<?php echo $z->getId() ?>" >not > > > accept</a> > > > > Then I in file actions.class.php take id like that: > > > $id = (int)$request->getParameter('accept'); > > > $id = (int)$request->getParameter('notaccept'); > > > > and add or delete row to/from database. Should I in both cases write: > > > $request->checkCSRFProtection() ?? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
