Protecting your forms with the Security Component
Saturday, June 13th 2009, 9:29pm
Topics: Tutorials, CakePHP
Tags: Component, Forms, Security, Protection
Comments: 3
Permalink -
Tinylink
Many users are unaware of this feature as it is not stated within the Cookbook, but the Security Component by default will secure and protect your forms (if you have added Security to the $components array). What does that mean you ask, well it's simple. The Security will add hidden token fields within all your forms that will protect you against many types of robots and bots. An example of a token field can be seen below.
These token fields are a dynamically generated hash, based on all the fields currently available in a specific form. On top of this, the Token will only last for a limited duration, so if your session takes forever on a certain form, you will be blackholed. Now on to the term blackhole, this basically means your form will post to a blank/white page and will fail.
Using Javascript to change input values
If you use Javascript to change a hidden inputs value, the Security will blackhole the form because it checks to see if any hidden fields have changed values (if it has, its usually a bot). To bypass this check, you would add this code to your controllers beforeFilter(). The array should consist of the field names you DO NOT want the Security to validate, so in this case it would be the name of our hidden field.
Not validating a form at all
If you have Security enabled, but do not want it to validate a certain form, you would set validatePost to false in your beforeFilter(). This is MANDATORY if you are doing any type of Ajax requests.
And that is all, simple isn't it? All it requires is you adding the Security component to your controllers $components and a bit of magic on your end.
Array
(
[_Token] => Array
(
[key] => 40bbf3ac6cb4cd9bfaa617c088aa938bb398e80f
[fields] => b5a93a2492bd2e6016856828d8046ba1f6f6200b%3An%3A0%3A%7B%7D
)
)These token fields are a dynamically generated hash, based on all the fields currently available in a specific form. On top of this, the Token will only last for a limited duration, so if your session takes forever on a certain form, you will be blackholed. Now on to the term blackhole, this basically means your form will post to a blank/white page and will fail.
Using Javascript to change input values
If you use Javascript to change a hidden inputs value, the Security will blackhole the form because it checks to see if any hidden fields have changed values (if it has, its usually a bot). To bypass this check, you would add this code to your controllers beforeFilter(). The array should consist of the field names you DO NOT want the Security to validate, so in this case it would be the name of our hidden field.
$this->Security->disabledFields = array('hiddenfield1', 'hiddenfield2', 'randomfield');Not validating a form at all
If you have Security enabled, but do not want it to validate a certain form, you would set validatePost to false in your beforeFilter(). This is MANDATORY if you are doing any type of Ajax requests.
if ($this->params['action'] == 'actionName') {
$this->Security->validatePost = false;
}
// Ajax requests
$this->Security->validatePost = false;
if (!$this->RequestHandler->isAjax()) {
$this->Security->blackHole($this, 'You are not authorized to process this request!');
}And that is all, simple isn't it? All it requires is you adding the Security component to your controllers $components and a bit of magic on your end.
3 Comments
benpesso.com
Jun 26th 2009, 03:44
Jun 28th 2009, 22:07
Dec 17th 2009, 13:36