Changes between Version 5 and Version 6 of CookBookManipulatorWithHiddenFields


Ignore:
Timestamp:
09/16/2005 04:44:23 PM (10 years ago)
Author:
hugo <gb@…>
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • CookBookManipulatorWithHiddenFields

    v5 v6  
    33''This is totally insecure, n'est-ce pas? A user can fiddle with hidden form fields - in fact, if you get the developer extensions for Mozilla Firefox, it's very easy to do.  In this case you could then spoof the user doing the post.  A better solution would be as above, but instead of pre-populating data into newData, you override the manipulator constructor to allow it to take parameters which you want to fix (such as the user), which it stores for later use.  Then you override its save() method, which enforces those stored values (e.g. by changing the copy of the posted back data) and then calls the base save() method. (I haven't tried this, but I can't see a problem)''
    44
    5 ''This is absolutely insecure. The better way indeed would be to populate parts of the POST data to overwrite those fields you know about. I am using that in a project myself and it works fine. Passing security relevant data through hidden fields is just a horrible idea, don't do that at home, kids!'' -- hugo
     5''This is absolutely insecure. The better way indeed would be to populate parts of the POST data to overwrite those fields you know about - see CookBookManipulatorWithPostpopulatedFields. I am using that in a project myself and it works fine. Passing security relevant data through hidden fields is just a horrible idea, don't do that at home, kids!'' -- hugo
    66
    77== Description ==
Back to Top