Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Using CakePHP 1.3, I have a (working) form that has dynamically created form fields (via Javascript). Everything works great, multiple models are saved via saveAll(), and it’s just beautiful.
But, I get black-holed to a 404 whenever I enable the Security component (hoping to get some of the auto-magic CSRF protection).
I understand that this may be (probably is!) caused by the dynamically created form fields, as mentioned in the docs.
Is there a way to get them to play nicely together?
You can’t have your Cake and eat it, too. (Cha-ching!)
CSRF protection means precisely that only a certain list of form fields is allowed to be submitted. This list is decided upon and fixed at the time the form is created. You can’t be CSRF protected and dynamically alter the fields in the form.
There are two solutions:
If the number and names of the dynamically created fields are limited, create them all in the form and hide them using CSS, then show them using Javascript. This way you’re not dynamically creating the fields, but are only dynamically showing them.
If that doesn’t work, you can either whitelist the fields using the
$disabledFieldsoption (again, only if their names are known in advance) or disable CSRF altogether with the$validatePostoption.