When I started to dig in to investigate using the Security Component of CakePHP, I was a bit daunted. It took me quite a while to get my head around ACL after all. Then I found this article. Here’s the crux:
The Security component will create a hash based on the form fields produced by our Form Helper. If someone tampers with the form fields (by adding or removing or changing any field), the hash is not going to match with the expected one and the add() action will fail.
Yep, it’s that simple.
Really? It just can’t be that easy, can it? Yes. It can. I simply added the Security Component to my controller like so:
var $components = array('Security');Sure enough, when I reloaded a page with a form in my browser, this hidden field was there:
<input id="TokenFields1483167134" name="data[_Token][fields]" type="hidden" value="f513aebc448fabe42c7feedf31d43fa5bd71ec79%3An%3A0%3A%7B%7D" />
I installed a Firefox Add-on that allowed me to tamper with the POST data, and when I submitted the form, it failed, or in CakePHP terms, it was “Blackholed.” Awesome.
This isn’t going to protect me from all attacks, but it certainly is a good, easy start to implementing security in my application.
Similar Posts:
- Simple Security in CakePHP
- Roll Your Own CakePHP Components
- Display Form Fields Based on Selection Using JQuery
- And We’re Back!
- CakePHP: Containable Behavior is Your Friend