First rule of security ..... never trust the user! You really need to watch Pierre Spring's (http://twitter.com/#!/shvi) CakeFest talk on security when it is uploaded, it will scare the be-jeesus out of you! Keep an eye out for that on tv.cakephp.org when @phpNut recovers from his flight home, edits the talks and uploads them.
The problem is, the only way a user communicates with your app is via HTTP requests and your server does not know if that request has come from an evil hacker or an angelic genuine user. Therefore you must ensure that any data posted to your app is only ever sent from a form you created, that is served from within your app*. Same thing with delete requests, you should only ever accept these from POST - how easy is it to type '/users/delete/1', '/users/ delete/2', 'users/delete/3' etc.. With GET requests anyone can type variable names and values direct into the parameters string and add or update any field for any record in your database without ever being on your site. Ok, you can do some authenticate and authorisation checks after recieving the request to see if they own the record, but what if the user has managed to compromise a user's account? (again Pierre Spring's talk will show how easy this is if not protected with simple but effective methods that CakePHP provide if used correctly). * The only time you should accept POST requests from an external server is if you've written an API, but then you need to operate on HTTPS and have Keys and Tokens etc. to authorise requests. HTH, Paul @phpMagpie On Sep 6, 2:26 am, Ryan Schmidt <[email protected]> wrote: > On Sep 5, 2011, at 05:55, WebbedIT wrote: > > > It is a VERY bad idea to accept data via GET that you are going to > > write into your database. Please do not do it, you should only accept > > POST data > > Why, by the way? It is no more difficult for a user (web browser, JavaScript, > curl, etc.) to send POST data than it is to send GET data. Either you trust > the user to supply data to your application or you don't. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
