Home/ Questions/Q 8485909
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T20:47:05+00:00

I have a question about the cakephp2 forms security. Let’s assume that we have

  • 0

I have a question about the cakephp2 forms security. Let’s assume that we have the Security Component enabled and have already build users authentication, permissions, and product management system.

We need to create an Offer Request feature, which allows users to ask for an offer for a specific product.

The user is logged in and clicks on “ask” and goes to /offer_requests/add/product_id

Scenario 1:

In the /Views/OfferRequests/add.ctp:

<?php 
echo $this->Form->create('OfferRequest');
echo $this->Form->input('user_id', 
                         array('value' => $this->Session->read('Auth.User.id'),
                               'type' => 'hidden' ));
echo $this->Form->input('product_id');
echo $this->Form->input('quantity');
echo $this->Form->end(__('Submit'));
?>

Scenario 2:

In the /Views/OfferRequests/add.ctp:

<?php 
echo $this->Form->create('OfferRequest');
echo $this->Form->input('product_id');
echo $this->Form->input('quantity');
echo $this->Form->end(__('Submit'));
?>

And in the OfferRequestsController add():

<?php
$this->request->data['OfferRequest']['user_id'] = $this->Session->read('Auth.User.id');
?>

My question is which scenario is more safe, for example against making false requests as other user. For scenario 1, does the Security Component allow manipulating input values through Firebug or some other software?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, the security component adds automatic prevention of form tampering:

    From the docs:

    By using the Security Component you automatically get CSRF and form
    tampering protection. Hidden token fields will automatically be
    inserted into forms and checked by the Security component. Among other
    things, a form submission will not be accepted after a certain period
    of inactivity, which is controlled by the csrfExpires time.

    As stated in the other answer, you can use the fieldsList option when saving your data instead. With the security component, however, you would be able to add the user_id as a hidden field (scenario 1) and not worry about its value being tampered with. This would prevent the necessity to set it in the controller (scenario 2).

    • 0