Ensuring CakePHP Security: Guarding Against Form Injection

Currently, I have a Users table with the following structure:

|**id**|**username**|**password**|**role**|**email**|

When creating an edit page for users to update their username/password/email, but not their role, I am using CakePHP's form helper. I am checking for any injected role POST fields in the request to ensure that users cannot change their role unintentionally. However, I am looking for a more efficient way to handle this, especially as the table grows larger. Below is the current code snippet for the edit action:

public function edit($id = null)
    {
        $this->User->id = $id;

        if(!$this->User->exists())
        {
            throw new NotFoundException('Invalid user');
        }

        $userToEdit = $this->User->findById($id);
        if(!$userToEdit)
        {
            throw new NotFoundException('Invalid user');
        }

        if($this->getUserRole() != 'admin' && $userToEdit['User']['owner'] != $this->Auth->user('id'))
        {
            throw new ForbiddenException("You do not have permission to edit this user");
        }

        if($this->request->is('post') || $this->request->is('put'))
        {
            //Do not reset password if empty
            if(empty($this->request->data['User']['password']))
                unset($this->request->data['User']['password']);

            if(isset($this->request->data['User']['role']))
                unset($this->request->data['User']['role']);

            if($this->User->save($this->request->data))
            {
                $this->set('success', true);
            }
            else
                $this->set('success', false);
        }
        else
        {
            $this->request->data = $this->User->read();
            //Prevent formhelper from displaying hashed password.
            unset($this->request->data['User']['password']);
        }
    }
phpsecuritycakephp

Answer №1

When using the save() method, the third parameter allows you to specify which fields to save. Check out the Model::save() documentation for more information.


$this->User->id = $this->Auth->user('id');
$this->User->save($this->request->data, true, array('username', 'email'))

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Having trouble with your WordPress site? Encountering the error message: Argument 2 missing for wpdb::prepare(). Need assistance

Having recently added a new plugin to my Wordpress CMS, I encountered a PHP error on both my site and the Wordpress CMS: Warning: Missing argument 2 for wpdb::prepare(), called in /home/a4921378/public_html/wp-content/themes/xscholar/framework/includes/ ...

phpwordpress

Combine and update JSON files by matching ID's in PHP

I am facing an issue with merging JSON files in PHP. I want to overwrite data when the id's match, but it's not working as expected. Here is my PHP code: foreach($instagram_array['data'] as $key => $image){ $id = $image['id ...

phparraysjson

How can I minimize the number of polymorphic methods in my MVC design?

Currently, I am tackling a challenge in creating an MVC framework using PHP, even though my primary expertise lies in Java. I am on the lookout for a solution that aligns with OOP principles and is easily adaptable to various programming languages. Within ...

javaphpmodel-view-controllerooppolymorphism

Eliminating Repetition: Preventing Message Duplication in WordPress Database Entries

Whenever I attempt to insert a single post into the database using wp_insert_post(), two posts end up getting added: Ajax request: /wp-admin/admin-ajax.php?action=getchats&chat_type=all-chat&last_msg=110&add_msg=true&chat_message=hellow ...

phpajaxwordpress

A collection of items that mysteriously affix themselves to the top of the page as

Unique Context In my webpage, I have a specific div element with the CSS property of overflow: auto. Within this scrolling div, there is structured content like this: <h3>Group A</h3> <ul> <li>Item 1</li> <li>I ...

phpjavascriptjqueryhtmlcss

Guide for dividing XML children into multiple children by using PHP and a specified delimiter

I am facing a challenge with an XML child that contains multiple URLs separated by '|' For example: <ImageURL>https://example.com/example.jpg|https://example.com/example2.jpg</ImageURL> I aim to develop a PHP function that can separ ...

phpxml

Error in PHP email header causing sending issue

I am attempting to send an HTML email through PHP. Here is the code I have written: $to = "<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="760213050236021305025815191b">[email protected]</a>"; $from = "$senderEmai ...

phpemail

Utilizing FFProbe for Obtaining Codec Information

After attempting several different methods to extract a video's codec using FFProbe, such as this one, all I seem to receive is occasional [/STREAM]. Here is the current approach I am testing: $codec = exec("ffprobe -v error -show_entries -show_stre ...

phpffmpegffprobe

How can HTML output be automatically indented?

Seeking a way to automatically indent the HTML generated by my PHP script. I currently use HTML Purifier for validating internal textbox inputs, but I have reservations about using HTML Tidy due to its lack of active development and numerous reported bugs ...

phphtmlindentation

What is the best way to move between websites or pages without having to reload the current page using a selector?

Have you ever wondered how to create a webpage where users can navigate to other websites or pages without seeing their address, simply by selecting from a drop-down menu? Take a look at this example. Another similar example can be found here. When visit ...

javascriptphphtmlcssajax

Innovative approach for showcasing JSON array using checkboxes

I have created a multidimensional array using JSON. However, now I am facing the challenge of organizing groups of checkboxes in a visually appealing manner, such as separating them with horizontal bars or placing them into tables. Here is an example of t ...

phparraysjsoncheckbox

Why isn't this ajax script able to successfully transmit the data?

I'm having some trouble sending a JavaScript variable to a PHP file in order to create a query. Here's the script I've been using, but unfortunately it doesn't seem to be working. Any assistance would be greatly appreciated. <select ...

javascriptphpjqueryjsonajax

Contemplating the protection of an Android online platform

In the process of developing an Android app to connect to a http server, I have implemented a web service that sends JSON data to a PHP script on the server. This PHP script then accesses the desired database and inserts the JSON objects. However, my focu ...

phpandroidweb-servicesjson

Do not include quotation marks around the echo json_encode() function

$result = mysql_query("SELECT * FROM $tableName WHERE id=1"); $array = mysql_fetch_array($result); $help_name = $array['name']; $req = $array['req']; //fetch result echo json_encode($help_name); Issue arises ...

phpjsonajax

Using AJAX to process PHP form submissions

Here is the script in the head of my document: <script> $(function () { $('form#ratingsform').on('submit', function (e) { $.ajax({ type: 'post', url: '/dev/scripts/ratevideo_vibrary.php& ...

phpajaxforms

The second AJAX call is unsuccessful

I have created a dynamic ajax website that retrieves pages from the /pages folder and displays them within an ajax-container div on my index.php. Now, I am looking to implement a second ajax request that will only be triggered on certain pages. For examp ...

javascriptphpjqueryajax

Creating a new model in Laravel and storing it in the database

I'm currently diving into the world of the Laravel framework, and I find myself a bit puzzled by the ORM system. Within my database setup, there are 3 tables: projects (projectID, projectName, etc...) tags (tagID, tag) project_tags (ID, projectID, ...

phplaravelorm

How can I construct an application by utilizing designated keys through the Phonegap Build API?

I'm currently utilizing the Phonegap Build API for my project. For connecting to the Phonegap plugin, I am making use of a PHP library that is open source. If you're interested, you can find it here: https://github.com/mradionov/phonegap-build- ...

phpcordovaphonegap

Can you search for a specific word within a mediumblob file stored in the database?

Within my database, I have the following information: name mime size data Untitled.txt text/plain bigint(20) Mediumblob I need to search for a specific word within this file using a search command. ...

phpdatabasefilesearch

Dynamic number of parameters in Laravel routes

I'm attempting to develop a route that includes a mandatory parameter followed by an indefinite number of parameters. The exact count of additional parameters is uncertain, but it will always be more than zero. <?php Route::get('{tree_slug}/{ ...

phprouteslaravel