| | 86 | ''This is totally insecure, n'est-ce pas? A user can fiddle with hidden form fields - in fact, if you get the developer extensions for Mozilla Firefox, it's very easy to do. In this case you could then spoof the user doing the post. A better solution would be as above, but instead of pre-populating data into newData, you override the manipulator constructor to allow it to take parameters which you want to fix (such as the user), which it stores for later use. Then you override its save() method, which enforces those stored values (e.g. by changing the copy of the posted back data) and then calls the base save() method. (I haven't tried this, but I can't see a problem)'' |