Tag: cahephp save security

Blacklist your model fields for save()…

March 11th, 2009 · · CakePHP No comments - Tags: , , , , ,

You’ve probably heard that in order to make your save() more secure, you can pass-in a third parameter of only those fields that you’d like to save (all others will be ignored).

However, in some cases it would make more sense to “blacklist” one or two fields, rather than “whitelist” a whole bunch of required fields.

An awesome tip from Nate, shows just how to accomplish this…

$blackList = array('protected', 'fields', 'here');
$this->Model->save($this->data, true, array_diff(array_keys($this-> Model->schema()), $blackList));

Quite clever indeed.

CakePHP and save() security

June 24th, 2008 · · CakePHP No comments - Tags: , , ,

An interesting point came up on IRC…

What happens if someone submits data to your application via a fake form?

How can you ensure that a malicious user will not simply save some unwanted data by filling your $this->data array with things you don’t want there? For example, by sending an “extra” field, one could post $this->data['User']['id'] = 5; and trigger an update instead of save… well you can use your imagination to come up with some other evil tricks.

A simple solution is to ensure that you pass a third parameter to your save() method. If you take a look at the API, you’ll see that save() will allow you to specify a list of fields, which you know should be saved, the rest will be ignored. 

P.S. Additional security for your forms (and ultimately your data) can be achieved with the Security component.