Re: "Mass Assignment Vulnerability" - protection in Cake

thats mainly what I was saying: adding or removing fields in the DOM will cause trouble for sure.

but also resubmitting the form via AJAX several times (as the session token then expires) will blackhole if not avoided carefully.

so it is always good to know how the fieldList solution works

Am Donnerstag, 8. März 2012 16:23:45 UTC+1 schrieb jeremyharris:

I've had no problem with ajax forms and the security component. The token is still added and it still goes through. It only blackholes if you dynamically change that field with javascript.

On Thursday, March 8, 2012 7:20:34 AM UTC-8, euromark wrote:

well, with ajax and dynamic field injection in forms you need to disable the component or at least some fields in order to not get blackholed

therefore I rather use the field whitelisting than enabling the security component

but either way: one of those two options you should use to be on the safe side

--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.
 
 
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php