I would like to use dynamic form fields in my app and read about black holes when using security component.
Because I want to put my project online later and allow signup of users, I just wonder what solution approaches for this problem exist and if they are a security risk?
Lets for example say I have a sign up form, where users should be able to add an arbitrary number of appointments with datetime, title and description before saving the user and with the possibility of cancelling registration. Is it true that there is no way to combine dynamic number of records with the build in security component? If yes, what is the exact reason for this? For my understanding it should not make a big difference if I create arbitrary appointments step by step inside appointments view, or save a dynamic number of appointments by adding related form inputs inside the users view. Is the pure number of added database rows a security risk and wouldn’t it be possible to check everything else beside the number of records?
I also thought about using Ajax requests to store the appointments without submitting the users form and use transactions to be able to cancel registration and rollback all appointments. But transaction did only work for the user model - the appointments appeared in the database right after adding them via Ajax request and before commiting the transaction. If there is no secure way to use dynamic form fields by adding dynamic rows in the form…is it possible to “wrap” the appointment controller actions called by the Ajax requests into the transaction started within the user model?
And last but not least, is there any difference between Cake 2.x and Cake 3.x regarding this topic?