Published by Mijingo

movie icon image

EE Insider Blog

Spend your time learning and developing sites with ExpressionEngine and we'll use this blog to keep you informed of all the news related to ExpressionEngine and CodeIgniter.

» Read more in the Archives.

» Have a tip? Send us your EE news.

Learn ExpressionEngine Today

Over a series of 8 videos, watch and learn as Ryan builds an entire ExpressionEngine website from beginning to end. Get started now.

SafeSharpener Adds Additional Security to SafeCracker

The description says it all:

magine an online application using a channel with many fields. Some are suitable for submission from a Safecracker form and some are not (perhaps ‘admin notes’ or ‘store credits’. Could be anything). With SafeCracker in it’s current state, if the name of a sensitive field can be established, it can be updated by injecting a hidden field into the edit form. This amounts to, at best, Security through obscurity and at worst a gaping security hole.

If you have fields that you don’t want to ever be accessed via SafeCracker, you should either not put those fields in the custom field group at all or use something like SafeSharpener. The developer, Darren Miller, is asking that something similar to this be added into SafeCracker.

It’s a free add-on and available now at the SafeSharpener website.

Posted on Jun 15, 2011 by Ryan Irelan

Filed Under: Development Tools, EE Add-ons, EE Extensions