Writing Secure Code with CakePHP 2.x Forms
source link: https://www.devdungeon.com/content/writing-secure-code-cakephp-2x-forms
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Writing Secure Code with CakePHP 2.x Forms
Submitted by NanoDano on Sun, 02/17/2013 - 18:36
CakePHP is one of my favorite web frameworks. There is one glaring security hole that caught my attention though. Without proper care from the developer, users have the potential to tamper with data sent with forms. For example, a common operation is to take the value from a form and save it like this:
$this->User->save($this->request->data['User']);
Let's say the user manipulates the form and adds this line:
<input name="data[User][admin]" value="1" />
Without proper intervention, the user may have just set their account to an admin!
It is imperative to sanitize the data where necessary. It can be as simple as:
unset($this->request->data['User']['admin']);
In the end, I wouldn't consider this a flaw in CakePHP. It's similar to programming with SQL queries, it's up to the developer to ensure the user did not pass bad data, and it's the developer's responsibility not to put raw user input in a query. Let this be a warning to young CakePHP developers!
Advertisement
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK