Secure use of dynamic form fields

Hello all,

I would like to use dynamic form fields in my app and read about black holes when using security component.
Because I want to put my project online later and allow signup of users, I just wonder what solution approaches for this problem exist and if they are a security risk?
Lets for example say I have a sign up form, where users should be able to add an arbitrary number of appointments with datetime, title and description before saving the user and with the possibility of cancelling registration. Is it true that there is no way to combine dynamic number of records with the build in security component? If yes, what is the exact reason for this? For my understanding it should not make a big difference if I create arbitrary appointments step by step inside appointments view, or save a dynamic number of appointments by adding related form inputs inside the users view. Is the pure number of added database rows a security risk and wouldn’t it be possible to check everything else beside the number of records?
I also thought about using Ajax requests to store the appointments without submitting the users form and use transactions to be able to cancel registration and rollback all appointments. But transaction did only work for the user model - the appointments appeared in the database right after adding them via Ajax request and before commiting the transaction. If there is no secure way to use dynamic form fields by adding dynamic rows in the form…is it possible to “wrap” the appointment controller actions called by the Ajax requests into the transaction started within the user model?
And last but not least, is there any difference between Cake 2.x and Cake 3.x regarding this topic?

Best regards

Yes it is true, and the reason is that the security component (Or more accurately, the form tampering protection inside the security component) works be generating a token based on the form fields that you create. This token is then sent to the server, along with the posted for data. The posted data is then used to create another token which is compared to the original token (Using session data, etc.). If the two match, then everything is good, if they do not match, then somebody altered the form.

There is no way of generating this token on the client, because that would immediately open up your application to form tampering. However, you can disable/exclude certain fields from the token generation if you know that they will be modified. The example of dynamic form fields (Such as an arbitrary amount of appointments) is a perfect example of the kind of data that you don’t want be included in the token. The other data on the same form (e.g. username and password) is something that you would want to be protected.

There is no practical difference between CakePHP 2.x and CakePHP 3.x, but there are a few technical and implementation differences.

Hope this helps!