I notice this recently when we start creating the security component of a project. The best way to explain the issue is to give an example:

Imagine that in your application you create an action “edit profile” where each user can change his personal details for the account. If course there will be fields for changing user’s real name, password, email etc., but the username field should be readonly.

The direct approach to create such page is to reuse “edit” action of the user’s controller, but instead of getting the ID from the url, it need to be fetched from the session’s auth variable. The second thing which you have to do is to remove “username” field from the view and you are done. Well, fast and easy, but not very secured…

What can be done? Well of course in the example above the “hacker” need to be logged in. So, the easiest approach is to go to profile page and using FireBug plugin to add a field on the fly with name data[User][username] and set value in it. After submitting if there are no additional checks, the username will be successfully changed. The worst example is instead of username the user change his security group … and on the next login he got admin privileges. Scary huh?

Of course CakePHP is rich framework and it’s possible to prevent such intrusion. In the Model there is a class variable called $whitelist. In this variable it’s possible to set fields which could be saved.

So bear in mind while you codding you applications and sites