2

I'm new to CakePHP, and am trying to do some blog-like exercise, then I ran into some problems.

See have a Model called Post, then under the PostsController I generated a view action for checking a single blog post. What I want is to allow the users to be able to add comment to the post in the Posts/view page instead of being redirected to a new Comments/add page. To do that I need to tell my CommentsController which post the user is commenting on. So wrote this in my /app/View/Posts/view.ctp:

<?php

echo $this->Form->create('Comment', array('controller' => 'comments', 'action' => 'add');
echo $this->Form->input('content', array('row' => '3'));

// this is the line I'm not sure about
echo $this->Form->input('post_id', array('default' => $post['Post']['id'], 'type' => 'hidden'));

echo $this->Form->end('Submit');

?>

Now this solution will send the value of $post['Post']['id'] to the add action in CommentsController in the form of $this->request->data['post_id'], but call me anal, I worry that whether this is the correct, or "professional" way to do this, since one can easily make the hidden field visible by altering some attributes with "inspect element' inside of any modern browser, leaving not necessarily potential security vulnerabilities, but something I personally don't feel comfortable with. So please, if anyone's worked with CakePHP before, share some experience with me on that.

alxyzc
  • 1,021
  • 3
  • 12
  • 17

1 Answers1

3

First you can shorten that line to:

$this->Form->hidden('post_id', array('value' => $post['Post']['id']));

To prevent form tampering use the security component. It will:

  • Restricting which HTTP methods your application accepts.
  • CSRF protection.
  • Form tampering protection
  • Requiring that SSL be used.
  • Limiting cross controller communication.

Also I would validate that any data that is processed is valid. So you might want to check that the post exists and is public as well for example to prevent people can add comments to a non-public post. The same concept applies for everything: Never trust any input, not user nor API. Always validate the data and circumstances.

floriank
  • 25,546
  • 9
  • 42
  • 66
  • Thanks! So what you are saying is basically that this _is_ the right approach and all I need is more security layers. Am I understanding correctly? – alxyzc Jan 08 '14 at 15:08
  • Yes. No matter what you do you'll always have to mistrust the incoming data and make sure nobody can do something malicious with it. This does apply to *every* program and programming language. Would you mind to flag the answer as correct then? Thanks. ;) – floriank Jan 08 '14 at 15:10
  • Oh sure. I was just wondering if there might be some other way for doing that, such as calling up the referrer of the controller (in this case the post URL) and parse it to determine the `id` of that post. But that sounds messy to me and since you have such high reputation... hah! just kidding ;) – alxyzc Jan 08 '14 at 15:15
  • Sure, you can pass around values using get as well. But for example deleting data should be only accepted by a POST request. If you're using GET here a spider crawling the site or some script kiddy might delete all your records by simple iterating over /posts/delete/1, 2, 3.... See http://stackoverflow.com/questions/195212/what-are-the-advantages-of-using-a-get-request-over-a-post-request and http://stackoverflow.com/questions/2946325/why-should-i-post-data-rather-then-get. Which does NOT mean that POST is a real security measure! – floriank Jan 08 '14 at 15:21