Menu
Using CakePHP 1.3, I have a (working) form that has dynamically created form fields (via Javascript). Everything works great, multiple models are saved via saveAll(), and it's just beautiful.
But, I get black-holed to a 404 whenever I enable the Security component (hoping to get some of the auto-magic CSRF protection).
I understand that this may be (probably is!) caused by the dynamically created form fields, as mentioned in the docs.
Is there a way to get them to play nicely together?
991
You can't have your Cake and eat it, too. (Cha-ching!)
CSRF protection means precisely that only a certain list of form fields is allowed to be submitted. This list is decided upon and fixed at the time the form is created. You can't be CSRF protected and dynamically alter the fields in the form.
There are two solutions:
If the number and names of the dynamically created fields are limited, create them all in the form and hide them using CSS, then show them using Javascript. This way you're not dynamically creating the fields, but are only dynamically showing them.
If that doesn't work, you can either whitelist the fields using the $disabledFields option (again, only if their names are known in advance) or disable CSRF altogether with the $validatePost option.
108
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
