0

在我的蛋糕 PHP 应用程序中,我有一个编辑表单,其中“电子邮件”字段是只读的,这意味着用户无法更新它。现在,如果我认为从安全角度来看,用户可以通过“firebug”或其他一些浏览器插件来更新该字段。

$this->User->save($this->data)用来保存更新的数据。通过此功能,电子邮件也可以更新。

我们在 cake php 中有什么方法可以防止这个字段被更新,比如在这里传递一个参数或类似的东西?

4

4 回答 4

3

您可以简单地从 $this->data 中删除电子邮件字段:

unset($this->data['User']['email']);
$this->User->save($this->data);
于 2012-08-29T12:18:35.207 回答
1

如果安全是一个问题,只需拒绝任何具有意外值的数据。在蛋糕中你可以这样做,但它可以适用于任何框架/cms

/**
 * Checks input array against array of expected values.
 *
 * Checks single dimension input array against array of expected values.
 * For best results put this is in app_controller.
 *
 * @param array $data - 1 dimensional array of values received from untrusted source
 * @param array $expected - list of expected fields
 * @return boolean - true if all fields are expected, false if any field is unexpected.
 */
protected function _checkInput($data,$expected){
  foreach(array_keys($data) as $key){
    if (!in_array($key,$expected)){
     return;
    }
  }
  return true;
}

/** 
 * edit method.
 * 
 * put this in <Model>_controller
 * @param string $id
 * @return void
 * @todo create errors controller to handle incorrect requests
 * @todo configure htaccess and Config/routes.php to redirect errors to errors controller
 * @todo setup log functionality to record hack attempts
 * @todo populate $expected with fields relevant to current model
 */ 
function edit($id=null){
  $expected = ('expectedVal1', 'expectedVal2');
  $this->Model->id = $id;
  if (!$this->Model->exists()) {
    throw new NotFoundException(__('Invalid model'));
  }
  if ($this->request->is('post')) {
    if (!$this->_checkData($this->request->data['Model'], $expected)) {
      //log the ip address and time
      //redirect to somewhere safe
      $this->redirect(array('controller'=>'errors','action'=>'view', 405);
    }
    if ($this->Model->save($this->request->data)) {
      //do post save routines
      //redirect as necessary
    }
    else {
      $this->Session->setFlash(__('The model could not be saved. Please, try again.'));
    }
  }
  $this->set('model',$this->Model->read($expected,$id));
}
于 2012-08-31T09:28:36.310 回答
1

您可以执行以下操作:

$dontUpdateField = array('email');
$this->Model->save(
           $this->data, 
           true, 
           array_diff(array_keys($this->Model->schema()),$dontUpdateField)
);
于 2012-08-29T12:15:05.433 回答
0

您可以使用安全组件并隐藏电子邮件。使用此组件时,隐藏字段不能更改,否则蛋糕会黑化表单。

http://book.cakephp.org/1.3/en/view/1296/Security-Component

如果您的应用程序是公开的,强烈建议您使用安全性,否则通过在表单上提交额外字段$this->Model->save($this->data))并保存额外字段时将数据注入模型中有点微不足道,除非您进行额外的验证工作$this->data 的每个字段;

于 2012-08-30T20:18:25.187 回答