This is the documentation for concrete5 version 5.6 and earlier. View Current Documentation

When you develop a block or dashboard page that takes input and acts on that input, perhaps making a change to the database, it is important to know that the form or ajax submission has genuinely come from your block or page view and not from an evil being pretending to be that page so they can mess with your site data.

The solution is to add an encrypted token to the page, then check for that encrypted token when handling input from that page, so validating the input is genuine. Concrete5 provides a validation/token helper for generating encrypted tokens and the validation/form helper for generally validating forms also includes validation of the encrypted token.

Starting with a form in the view, include a hidden field called ccm_token:

$vt = Loader::helper('validation/token');
echo $form->hidden('ccm_token',$vt->generate('my_text_key'));

The key can be anything you like. I usually use the single page handle, the controller action name or package handle.

In the controller action or tool that handles the input:

$data = $_POST; // or however you are getting the data, maybe $args
$vf = Loader::helper('validation/form');
if ($vf->test()) {
  // all OK, do normal processing to update the database.
} else {
  // security error, often ending up in
  die("Access Denied.");
  // but you could instead just feed back a message

The above isn't the only security you need. Unless already in a context where concrete5 has confirmed the user is logged in and has permission (such as in a dashboard page), you should also be checking login status and permissions before updating the database.

The above can be adapted in the vast majority of situations, including ajax actions.

This can get complicated when a dialog has multiple actions or in nested dialogs, where concrete5 can become confused by a profusion of tokens. In such situations you may need to share a single token between all actions and tasks the block or page view interacts with.

You can find more information amongst the documentation for basic validation and in this forum post by Jordanlev.

Read more How-tos by JohntheFish

Loading Conversation