Hi AD7six My solution to the problem of tampering with record numbers and the like sprang out of the Wizards discussion late last week.
The Post-Redirect-Get pattern requires that the record be held in a server side session between the post and the get. I now always put a retrieved or new record into a session before it is sent for editing. This allows me to check for stale data, and also for tampering with things like ID numbers and field names when processing a post since the data can be validated against the original held in the session. Regards, Langdon AD7six wrote: > Hi Olivier, > > I think the point is, that you could save the form locally, change the > hidden field value , and edit/overwrite other entries in the database. > > Asume there is some data ACL here´s a real E.g. > > Access http://www.noswad.me.uk/tutorials/posts/edit/9 > save the form locally > set the form action to be an absolute url > change the hidden field value to "1" > submit the form > > And you just edited entry number 1. > > If we make the assumption that the user had access to edit post 9, they > just got around the restriction. This is just a trivial example to > demonstrate the question raised. > > It raises another problem, which I´ve been pondering for a little > while I might aswell chip in: > > If someone knows the name of a database field they shouldn´t have > access to edit, they can easily save an edit a form and update fields. > > I´m still thinking about generic solutions to this generic problem ;) > > Cheers, > > AD7six --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~----------~----~----~----~------~----~------~--~---
