[FIXED] How to make CakePHP validation more secure?

Issue

Recently I finished tutorial about create simple blog using CakePHP - here is link: http://book.cakephp.org/2.0/en/tutorials-and-examples/blog/part-two.html Creating validation form is very easy and fast, but I noticed one issue with that.

File named post.ctp contains:

  echo $this->Form->create('Post');
  echo $this->Form->input('title');

And it generates form to end user with this input:

<input id="PostTitle" type="text" required="required" maxlength="50" name="data[Post][title]">

Someone who is using Firefox Firebug can change the html code before submit form from: name="data[Post][title]" to: name="data[Post][author]". The result of this will update column named "author", not "title", and also allowing to update database with empty data for "title".

In the folder named "Model" validation rule in Post.php doesn't prevents that:

class Post extends AppModel {

public $validate = array(
    'title' => array(
        'rule' => 'notEmpty'
    ),
    'body' => array(
        'rule' => 'notEmpty'
    )
);

}

How to secure my application and not allow someone to update other columns in database?

Solution

Cake's security component includes form tampering protection. You will need to add the security component in your controller(s):

public $components = array('Security');

Answered By - Bill Rollins

Answer Checked By - Cary Denson (PHPFixing Admin)