Security

Writing Secure Code with CakePHP 2.x Forms

CakePHP is one of my favorite web frameworks. There is one glaring security hole that caught my attention though. Without proper care from the developer, users have the potential to tamper with data sent with forms. For example, a common operation is to take the value from a form and save it like this:

$this->User->save($this->request->data['User']);

Let's say the user manipulates the form and adds this line: