CakePHP hidden edit fields

Question

I just started using the CakePHP framework, 2.0 to be precise. I read most of the documentation and examples and came across the blog tutorial.

http://book.cakephp.org/2.0/en/tutorials-and-examples/blog/part-two.html#editing-posts In the "edit post" section of the tutorial I saw they were using a hidden field to remember the post id. Isn't this bad practice because of client side modifications?

The way I handled this is remove the hidden field, and when the form is submitted add the post id to the POST data before saving and validating it. Is this the correct way to do this?

Answer 1

yes, thats pretty much the right way if you are concerned about tampering with the data. if the record belongs to a certain user you need to make sure that this user can't just replace the id with the one of an other user's record. the security component does NOT help here either (at least for some aspects).

read more about it here: http://www.dereuromark.de/2010/09/21/saving-model-data-and-security/

Answer 2

SecurityComponent will help with hidden fields. It will black-hole any request that it detects contains tampered-with hidden inputs, but it won't do anything for drop-down inputs. You can crack some AddUser form open in firebug and add an option:

<option value="superadmin">SuperAdmin</option>

Into the "role" drop-down, select it on the form, and upon submission, CakePHP will create a new SuperAdmin. So the best policy is still to not trust the client. The client is a pack of timberwolves and your server is a clutch of bunny-rabbits. Keep those two separate.

Answer 3

All you have to do is add the SecurityComponent to your AppController::$components variable to prevent the client from altering hidden fields.