Writing Secure Code with CakePHP 2.x Forms

Advertisement

Advertisement

CakePHP is one of my favorite web frameworks. There is one glaring security hole that caught my attention though. Without proper care from the developer, users have the potential to tamper with data sent with forms. For example, a common operation is to take the value from a form and save it like this:

$this->User->save($this->request->data['User']);

Let's say the user manipulates the form and adds this line:

<input name="data[User][admin]" value="1" />

Without proper intervention, the user may have just set their account to an admin!

It is imperative to sanitize the data where necessary. It can be as simple as:

unset($this->request->data['User']['admin']);

In the end, I wouldn't consider this a flaw in CakePHP. It's similar to programming with SQL queries, it's up to the developer to ensure the user did not pass bad data, and it's the developer's responsibility not to put raw user input in a query. Let this be a warning to young CakePHP developers!

Advertisement

Advertisement