From 0f0d9020b322ebf35e66b60ce20bc775fdaadf6d Mon Sep 17 00:00:00 2001 From: pana1990 Date: Sun, 14 Dec 2014 18:01:41 +0100 Subject: [PATCH] fix mistake small [skip ci] --- docs/guide/security-best-practices.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/guide/security-best-practices.md b/docs/guide/security-best-practices.md index 9697214..bd8cab4 100644 --- a/docs/guide/security-best-practices.md +++ b/docs/guide/security-best-practices.md @@ -1,7 +1,7 @@ Security best practices ======================= -Below we'll review common security principles and describe how to avoid threats when developing applications using Yii. +Below we'll review common security principles and describe how to avoid threats when developing applications using Yii. Basic principles ---------------- @@ -56,7 +56,7 @@ SELECT * FROM user WHERE username = ''; DROP TABLE user; --' This is valid query that will search for users with empty username and then will drop `user` table most probably resulting in broken website and data loss (you've set up regular backups, right?). -In Yii most of database querying happens via [Active Record](db-active-record.md) which properly uses PDO perpared +In Yii most of database querying happens via [Active Record](db-active-record.md) which properly uses PDO prepared statements internally. In case of prepared statements it's not possible to manipulate query as was demonstrated above. Still, sometimes you need [raw queries](db-dao.md) or [query builder](db-query-builder.md). In this case you should use @@ -69,7 +69,7 @@ $userIDs = (new Query()) ->from('user') ->where('status=:status', [':status' => $status]) ->all(); - + // DAO $userIDs = $connection ->createCommand('SELECT id FROM user where status=:status') @@ -138,7 +138,7 @@ Avoiding debug info and tools at production In debug mode Yii shows quite verbose errors which are certainly helpful for development. The thing is that these verbose errors are handy for attacker as well since these could reveal database structure, configuration values and parts of your code. Never run production applications with `YII_DEBUG` set to `true` in your `index.php`. - + You should never enalble Gii at production. It could be used to get information about database structure, code and to simply rewrite code with what's generated by Gii.