hi there I have the following (simplified) scenario: A usual form to add a post (from the blog tutorial). If the form is submitted, this method is called inside the action: $this->Post->save($this->data); I also have some validation stuff inside the post model (title, body).
Now I know, anybody can submit any data to my server, e.g. a variable called data[Post][id] additionally to the usual form data. What happens now? The post is actually inserted with the submitted id! By the way, this could override an existing post ;) So what I did is, I added a validation criteria to the post model which forces the id to be empty. This causes the post not to be validated and can therefore not be saved. It does work as expected, but is that the official way to prevent from arbitrary primary key "injection"? I don't want to check it inside the controller action. I'd appreciate if somebody could show me his/her solution to this or if there's even a standard way. Regards, rethab Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
