cakephp hidden field issue

Question

I have a problem with an input field in a view called add.ctp. When the input type is set to 'text', the program sequence is normal. But when I change the input type to 'hidden', the following error is displayed:

The request has ben black-holed. Error: The requested address was not found on this server.

mod-rewrite seems activated. Any ideas, what can be the reason for this?

score 7 · Answer 1 · answered Feb 08 '14 at 23:24

There is no error with your code. CakePHP's Security component checks hidden form fields to prevent tampering by end users:

By default SecurityComponent prevents users from tampering with forms. It does this by working with FormHelper and tracking which files are in a form. It also keeps track of the values of hidden input elements. All of this data is combined and turned into a hash. When a form is submitted, SecurityComponent will use the POST data to build the same structure and compare the hash.

Use FormHelper::unlockField to make a field exempt from this feature:

$this->Form->unlockField('User.id');

@jacob We should not be using form unlock method. It will cause security issues. — Invincible, Sep 20 '18 at 10:55

score 1 · Answer 2 · answered Feb 08 '14 at 23:12

1

This means there is an error with your code. Here is how to create hidden textbox

   echo $this->Form->input('field_name', array('type'=>'hidden'));

answered Feb 08 '14 at 23:12

Fury

4,643
5
50
80

This is the right way of handling Cakephp 3 "form temparing" and "unexpected field" errors – Invincible Sep 20 '18 at 10:58

score 0 · Answer 3 · answered Feb 08 '14 at 23:28

I think It's because you are using SecurityComponent.

THe component monitor the form integrity, the hidden field shouldn't change from the user and because of that the security component "decide" that the something malicious has been done with the form for example CSRF attack and it prevent the submit. And I believe you are having some JavaScript which change the field value for some reason.

Invincible · Answer 4 · 2018-09-20T11:33:56.023

CakePHP 3

Please do not unlock fields/disable CSRF security component for any particular action. This is important for the form security.

for those who are getting "The request has been black-holed." ,"form tampered error", "you are not authorized to access that location." or "unexpected field in POST data". It is mainly due to the CSRF component working as expected.

Disabling or modifying it is not a solution. Instead of disabling, please follow the right approach.

The right way should be as below:

On the Form, Add a hidden field as below.

 <?= $this->Form->text('TPCalls.ID',['label' => false, 'class' => 'hidden']); ?>

before AJAX add the field

$("input[name='TPCalls[ID]']").val(event.id);

Then serialise it

var el = $("#xyzForm");

var ajaxTPCalls = el.serializeArray();
  $.ajax({
                            type: el.attr('method'),
                            async: true,
                            url:  el.attr('action'),
                            data: ajaxTPCalls,
                            dataType: "json",
                            cache: false,
                            success: function (data) {

                                toastr.success(data.message, data.title);
                            },
                            error: function (jqXHR) {
                                if (jqXHR.status == 403) {
                                    $("body").html(jqXHR.responseText);
                                }
                            }
                        });

This way you do not disable CSRF or unlock any field. Any suggestions welcome.

This looks unnecessarily complicated to me. There's nothing wrong with unlocking a field that is meant to be changed after the page has been served. So either unlocking a given field, or converting it to a CSS-hidden `type="text"` input should be fine — ᴍᴇʜᴏᴠ, Feb 11 '22 at 13:06

cakephp hidden field issue

4 Answers4