•  08-10-2022
  •  | 
  •  

Question

I have a problem with an input field in a view called add.ctp. When the input type is set to 'text', the program sequence is normal. But when I change the input type to 'hidden', the following error is displayed:

The request has ben black-holed. Error: The requested address was not found on this server.

mod-rewrite seems activated. Any ideas, what can be the reason for this?

No correct solution

OTHER TIPS

There is no error with your code. CakePHP's Security component checks hidden form fields to prevent tampering by end users:

By default SecurityComponent prevents users from tampering with forms. It does this by working with FormHelper and tracking which files are in a form. It also keeps track of the values of hidden input elements. All of this data is combined and turned into a hash. When a form is submitted, SecurityComponent will use the POST data to build the same structure and compare the hash.

Use FormHelper::unlockField to make a field exempt from this feature:

$this->Form->unlockField('User.id');

This means there is an error with your code. Here is how to create hidden textbox

   echo $this->Form->input('field_name', array('type'=>'hidden'));

I think It's because you are using SecurityComponent.

THe component monitor the form integrity, the hidden field shouldn't change from the user and because of that the security component "decide" that the something malicious has been done with the form for example CSRF attack and it prevent the submit. And I believe you are having some JavaScript which change the field value for some reason.

CakePHP 3

Please do not unlock fields/disable CSRF security component for any particular action. This is important for the form security.

for those who are getting "The request has been black-holed." ,"form tampered error", "you are not authorized to access that location." or "unexpected field in POST data". It is mainly due to the CSRF component working as expected.

Disabling or modifying it is not a solution. Instead of disabling, please follow the right approach.

The right way should be as below:

On the Form, Add a hidden field as below.

 <?= $this->Form->text('TPCalls.ID',['label' => false, 'class' => 'hidden']); ?>

before AJAX add the field

$("input[name='TPCalls[ID]']").val(event.id);

Then serialise it

var el = $("#xyzForm");

var ajaxTPCalls = el.serializeArray();
  $.ajax({
                            type: el.attr('method'),
                            async: true,
                            url:  el.attr('action'),
                            data: ajaxTPCalls,
                            dataType: "json",
                            cache: false,
                            success: function (data) {

                                toastr.success(data.message, data.title);
                            },
                            error: function (jqXHR) {
                                if (jqXHR.status == 403) {
                                    $("body").html(jqXHR.responseText);
                                }
                            }
                        });

This way you do not disable CSRF or unlock any field. Any suggestions welcome.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top