Changes between Version 3 and Version 4 of CookBookManipulatorWithHiddenFields
- Timestamp:
- Sep 16, 2005, 3:11:49 PM (19 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
CookBookManipulatorWithHiddenFields
v3 v4 1 1 = CookBook - Manipulator With Hidden Fields = 2 3 ''This is totally insecure, n'est-ce pas? A user can fiddle with hidden form fields - in fact, if you get the developer extensions for Mozilla Firefox, it's very easy to do. In this case you could then spoof the user doing the post. A better solution would be as above, but instead of pre-populating data into newData, you override the manipulator constructor to allow it to take parameters which you want to fix (such as the user), which it stores for later use. Then you override its save() method, which enforces those stored values (e.g. by changing the copy of the posted back data) and then calls the base save() method. (I haven't tried this, but I can't see a problem)'' 4 5 "This is absolutely insecure. The better way indeed would be to populate parts of the POST data to overwrite those fields you know about. I am using that in a project myself and it works fine. Passing security relevant data through hidden fields is just a horrible idea, don't do that at home, kids!" -- hugo 2 6 3 7 == Description == … … 84 88 Enjoy! 85 89 86 ''This is totally insecure, n'est-ce pas? A user can fiddle with hidden form fields - in fact, if you get the developer extensions for Mozilla Firefox, it's very easy to do. In this case you could then spoof the user doing the post. A better solution would be as above, but instead of pre-populating data into newData, you override the manipulator constructor to allow it to take parameters which you want to fix (such as the user), which it stores for later use. Then you override its save() method, which enforces those stored values (e.g. by changing the copy of the posted back data) and then calls the base save() method. (I haven't tried this, but I can't see a problem)''