CakePHP隐藏编辑字段
我刚刚开始使用 CakePHP 框架,准确地说是 2.0。我阅读了大部分文档和示例,并发现了博客教程。
http://book.cakephp .org/2.0/en/tutorials-and-examples/blog/part-two.html#editing-posts 在教程的“编辑帖子”部分中,我看到他们使用隐藏字段来记住帖子 ID。这不是因为客户端修改而导致的不好的做法吗?
我处理这个问题的方法是删除隐藏字段,并在提交表单时将帖子 ID 添加到 POST 数据中,然后再保存并验证它。这是执行此操作的正确方法吗?
I just started using the CakePHP framework, 2.0 to be precise. I read most of the documentation and examples and came across the blog tutorial.
http://book.cakephp.org/2.0/en/tutorials-and-examples/blog/part-two.html#editing-posts
In the "edit post" section of the tutorial I saw they were using a hidden field to remember the post id. Isn't this bad practice because of client side modifications?
The way I handled this is remove the hidden field, and when the form is submitted add the post id to the POST data before saving and validating it. Is this the correct way to do this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
是的,如果您担心数据被篡改,这几乎是正确的方法。
如果该记录属于某个用户,您需要确保该用户不能仅用其他用户的记录替换该 id。
安全组件在这里也没有帮助(至少在某些方面)。
在这里阅读更多相关信息:
http://www.dereuromark.de/2010 /09/21/ saving-model-data-and-security/
yes, thats pretty much the right way if you are concerned about tampering with the data.
if the record belongs to a certain user you need to make sure that this user can't just replace the id with the one of an other user's record.
the security component does NOT help here either (at least for some aspects).
read more about it here:
http://www.dereuromark.de/2010/09/21/saving-model-data-and-security/
SecurityComponent 将帮助处理隐藏字段。它将对检测到的包含被篡改的隐藏输入的任何请求进行黑洞处理,但不会对下拉输入执行任何操作。您可以破解在 firebug 中打开的某些 AddUser 表单并添加一个选项:
进入“角色”下拉列表,在表单上选择它,提交后,CakePHP 将创建一个新的 SuperAdmin。所以最好的策略仍然是不信任客户。客户端是一群森林狼,而你的服务器是一群小兔子。将两者分开。
SecurityComponent will help with hidden fields. It will black-hole any request that it detects contains tampered-with hidden inputs, but it won't do anything for drop-down inputs. You can crack some AddUser form open in firebug and add an option:
Into the "role" drop-down, select it on the form, and upon submission, CakePHP will create a new SuperAdmin. So the best policy is still to not trust the client. The client is a pack of timberwolves and your server is a clutch of bunny-rabbits. Keep those two separate.
您所要做的就是将 SecurityComponent 添加到 AppController::$components 变量中,以防止客户端更改隐藏字段。
All you have to do is add the SecurityComponent to your AppController::$components variable to prevent the client from altering hidden fields.