How to make CakePHP validation more secure?

1
votes

Recently I finished tutorial about create simple blog using CakePHP - here is link: http://book.cakephp.org/2.0/en/tutorials-and-examples/blog/part-two.html Creating validation form is very easy and fast, but I noticed one issue with that.

File named post.ctp contains:

  echo $this->Form->create('Post');
  echo $this->Form->input('title');

And it generates form to end user with this input:

<input id="PostTitle" type="text" required="required" maxlength="50" name="data[Post][title]">

Someone who is using Firefox Firebug can change the html code before submit form from: name="data[Post][title]" to: name="data[Post][author]". The result of this will update column named "author", not "title", and also allowing to update database with empty data for "title".

In the folder named "Model" validation rule in Post.php doesn't prevents that:

class Post extends AppModel {

public $validate = array(
    'title' => array(
        'rule' => 'notEmpty'
    ),
    'body' => array(
        'rule' => 'notEmpty'
    )
);

}

How to secure my application and not allow someone to update other columns in database?

2
validationcakephpcakephp-2.3

2 Answers

3
votes

Cake's security component includes form tampering protection. You will need to add the security component in your controller(s):

public $components = array('Security');
2
votes

Have a look at the Model documentation. There are at least two ways to handle this.

  1. You can pass fieldlist as the third parameter when calling save().
  2. You can set the Model's whitelist property before calling save().

I haven't used this yet but the Security Component is another option.