在我的蛋糕PHP应用程序中,我有一个编辑表单,其中“email”字段是readonly,这意味着用户无法更新它。 如果我认为根据安全的观点,用户可以通过'firebug'或其他一些浏览器插件更新字段。
我正在使用$this->User->save($this->data)来保存更新的数据。通过此功能,电子邮件也可以更新。
我们有没有任何方式在蛋糕PHP,以便我可以阻止这个字段更新,如通过这里传递一个参数或类似的东西?
答案 0 :(得分:2)
您只需从$ this-> data:
中删除电子邮件字段即可unset($this->data['User']['email']);
$this->User->save($this->data);
答案 1 :(得分:1)
您可以执行以下操作:
$dontUpdateField = array('email');
$this->Model->save(
$this->data,
true,
array_diff(array_keys($this->Model->schema()),$dontUpdateField)
);
答案 2 :(得分:1)
如果担心安全问题,只需拒绝任何具有意外值的数据。在蛋糕中你可以做到这一点,但它可以适用于任何框架/ cms
/**
* Checks input array against array of expected values.
*
* Checks single dimension input array against array of expected values.
* For best results put this is in app_controller.
*
* @param array $data - 1 dimensional array of values received from untrusted source
* @param array $expected - list of expected fields
* @return boolean - true if all fields are expected, false if any field is unexpected.
*/
protected function _checkInput($data,$expected){
foreach(array_keys($data) as $key){
if (!in_array($key,$expected)){
return;
}
}
return true;
}
/**
* edit method.
*
* put this in <Model>_controller
* @param string $id
* @return void
* @todo create errors controller to handle incorrect requests
* @todo configure htaccess and Config/routes.php to redirect errors to errors controller
* @todo setup log functionality to record hack attempts
* @todo populate $expected with fields relevant to current model
*/
function edit($id=null){
$expected = ('expectedVal1', 'expectedVal2');
$this->Model->id = $id;
if (!$this->Model->exists()) {
throw new NotFoundException(__('Invalid model'));
}
if ($this->request->is('post')) {
if (!$this->_checkData($this->request->data['Model'], $expected)) {
//log the ip address and time
//redirect to somewhere safe
$this->redirect(array('controller'=>'errors','action'=>'view', 405);
}
if ($this->Model->save($this->request->data)) {
//do post save routines
//redirect as necessary
}
else {
$this->Session->setFlash(__('The model could not be saved. Please, try again.'));
}
}
$this->set('model',$this->Model->read($expected,$id));
}
答案 3 :(得分:0)
您可以使用安全组件并隐藏电子邮件。使用此组件时,隐藏的字段无法更改,或者蛋糕会使表单黑洞。
http://book.cakephp.org/1.3/en/view/1296/Security-Component
如果您的应用程序是公开的,强烈建议您使用安全性,否则通过在表单上提交额外字段并在$this->Model->save($this->data))保存额外字段时,在模型中注入数据是微不足道的,除非你做了额外的工作来验证$ this-&gt; data;