|
|
|
@ -1,7 +1,7 @@
|
|
|
|
|
Security best practices |
|
|
|
|
======================= |
|
|
|
|
|
|
|
|
|
Below we'll review common security principles and describe how to avoid threats when developing applications using Yii. |
|
|
|
|
Below we'll review common security principles and describe how to avoid threats when developing applications using Yii. |
|
|
|
|
|
|
|
|
|
Basic principles |
|
|
|
|
---------------- |
|
|
|
@ -56,7 +56,7 @@ SELECT * FROM user WHERE username = ''; DROP TABLE user; --'
|
|
|
|
|
This is valid query that will search for users with empty username and then will drop `user` table most probably |
|
|
|
|
resulting in broken website and data loss (you've set up regular backups, right?). |
|
|
|
|
|
|
|
|
|
In Yii most of database querying happens via [Active Record](db-active-record.md) which properly uses PDO perpared |
|
|
|
|
In Yii most of database querying happens via [Active Record](db-active-record.md) which properly uses PDO prepared |
|
|
|
|
statements internally. In case of prepared statements it's not possible to manipulate query as was demonstrated above. |
|
|
|
|
|
|
|
|
|
Still, sometimes you need [raw queries](db-dao.md) or [query builder](db-query-builder.md). In this case you should use |
|
|
|
@ -69,7 +69,7 @@ $userIDs = (new Query())
|
|
|
|
|
->from('user') |
|
|
|
|
->where('status=:status', [':status' => $status]) |
|
|
|
|
->all(); |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// DAO |
|
|
|
|
$userIDs = $connection |
|
|
|
|
->createCommand('SELECT id FROM user where status=:status') |
|
|
|
@ -138,7 +138,7 @@ Avoiding debug info and tools at production
|
|
|
|
|
In debug mode Yii shows quite verbose errors which are certainly helpful for development. The thing is that these |
|
|
|
|
verbose errors are handy for attacker as well since these could reveal database structure, configuration values and |
|
|
|
|
parts of your code. Never run production applications with `YII_DEBUG` set to `true` in your `index.php`. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
You should never enalble Gii at production. It could be used to get information about database structure, code and to |
|
|
|
|
simply rewrite code with what's generated by Gii. |
|
|
|
|
|
|
|
|
|