CakePHP：在表单上安全地设置默认值 [英] CakePHP: Securely setting a default value on a form

问题描述

在CakePHP 2.4中，如何将表单的一部分安全地设置为默认值？

在我的用户注册视图中，到 3 ，但似乎这是一个巨大的安全漏洞，在视图中，如果任何人伪造一个表单。

 <？php echo $ this-> Form-> hidden（'group_id'，array（'value'=>'3'）） ？> 
  

我当前的注册方法：

  public function register（）{
 if（$ this-> request-> is（'post'））{ 
 $ this-> User-> create（）; 
 if（$ this-> User-> save（$ this-> request-> data））{
 $ this-> Session-> setFlash（__已保存），'flash / success'）; 
 $ this-> redirect（array（'action'=>'index'））; 
} else {
 $ this-> Session-> setFlash（__（'无法保存用户，请重试。'，'flash / error'）; 
} 
} 
 
} 
  

方案

不要在表单中设置值，而是在保存数据之前。只有在隐藏字段中设置值，如果需要在视图层中完成，如果不是总是在控制器中设置这样的值，更好的模型。

您应该始终使用您的项目中的安全组件，以避免形式篡改和其他攻击。 p>

在此阅读有关安全组件 http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#form-tampering-prevention

默认情况下，SecurityComponent会阻止用户篡改表单。
它通过使用FormHelper和跟踪哪些文件是
在表单中。它还跟踪隐藏的输入元素的值。
所有这些数据被组合并变成一个哈希。当表单是
提交时，SecurityComponent将使用POST数据构建相同的
结构并比较散列。

将此组件添加到您的添加模型中。

您可以将值保存在 beforeSave（），你只需要检查记录是否将是一个新的或如果它已经存在通过检查是否

  public function beforeSave（$ options = array（））{
 if（empty this-> id）&& empty（$ this-> data [$ this-> alias] [$ this-> primaryKey]））{
 $ this-> data [$ this - > alias] ['group_id'] = 3; 
} 
 return true; 
} 
  

通常，只有当记录存在时，

另一个最佳实践提示：

  $ this-> data [$ this-> alias] ['group_id'] = 3; 
  

吮吸。没有人知道3是什么。如果组不改变，最好有一个空的，无表的模型或一个简单的类有常量：

  $ this- > data [$ this-> alias] ['group_id'] = UserGroup :: USER; 
 $ this-> data [$ this-> alias] ['group_id'] = UserGroup :: ADMIN; 
 $ this-> data [$ this-> alias] ['group_id'] = //你的想法... 
  

如果组由于某种原因是动态的，我想他们仍然有某种标识符：

  $ this-> data [$ this-> alias] ['group_id'] = $ this-> UserGroup-> getDefaultGroupId（）; 
  

In CakePHP 2.4, how does one securely set part of a form to a default value?

On my user registration view, I'm currently setting the default group_id to 3 with this- but it seems like it would be a huge security hole to do it in the view, should anyone forge a form.

<?php echo $this->Form->hidden('group_id', array('value'=>'3')); ?>

My current register method:

public function register() {
    if ($this->request->is('post')) {
        $this->User->create();
        if ($this->User->save($this->request->data)) {
            $this->Session->setFlash(__('The user has been saved'), 'flash/success');
            $this->redirect(array('action' => 'index'));
        } else {
            $this->Session->setFlash(__('The user could not be saved. Please, try again.'), 'flash/error');
        }
    }

}

解决方案

Don't set the value in the form but before you save the data. Only set values in hidden fields if it is required to be done in the view layer, if not always set such values in the controller, better model. Remember: Fat models, skinny controllers.

You should always use the Security component in your projects to avoid form tampering and other attacks.

Have a read about the security component here http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#form-tampering-prevention

By default SecurityComponent prevents users from tampering with forms. It does this by working with FormHelper and tracking which files are in a form. It also keeps track of the values of hidden input elements. All of this data is combined and turned into a hash. When a form is submitted, SecurityComponent will use the POST data to build the same structure and compare the hash.

Add this component to your add model.

You can save the value in beforeSave() as well, you just need to check if the record is going to be a new one or if it already exists by checking if the id is present.

public function beforeSave($options = array()) {
    if (empty($this->id) && empty($this->data[$this->alias][$this->primaryKey])) {
        $this->data[$this->alias]['group_id'] = 3;
    }
    return true;
}

Usually the id is only present when the record exists, if you want to make it more solid you can check exists() for that id as well to be totally sure it's not already there.

Another best practice hint:

$this->data[$this->alias]['group_id'] = 3;

Sucks. Nobody ever knows what 3 is. If the groups are not changing it is better to have an empty, tableless model or a simple class with constants:

$this->data[$this->alias]['group_id'] = UserGroup::USER;
$this->data[$this->alias]['group_id'] = UserGroup::ADMIN;
$this->data[$this->alias]['group_id'] = // You get the idea...

If the groups are dynamic for some reason I guess they still have some kind of identifier:

$this->data[$this->alias]['group_id'] = $this->UserGroup->getDefaultGroupId();

这篇关于CakePHP：在表单上安全地设置默认值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！