Yii Framework Forum: Discussion on the wiki article "How to write secure Yii applications" - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Discussion on the wiki article "How to write secure Yii applications" Rate Topic: -----

#1 User is offline   François Gannaz 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 87
  • Joined: 24-November 09

Posted 23 November 2011 - 04:48 AM

Hi

This topic should hold the questions and suggestions about the wiki article "How to write secure Yii applications". Quoting the rules written at the bottom of every wiki page:

Quote

Please only use comments to help explain the above article.
If you have any questions, please ask in the forum, instead.


I'll begin with a reply to the two comments that were already posted.
1

#2 User is offline   François Gannaz 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 87
  • Joined: 24-November 09

Posted 23 November 2011 - 04:54 AM

Quote

Thanks a lot for this article am going to visit my app and give it more enhancement concerning security. I have one question though. I have an app for listings where users post listings and an email is send to them with a link to click for activation how can I validate this since it's coming through GET variable.


There are 2 kinds of input in your application: listings and confirmation keys. If I didn't misunderstand, your question is about the confirmation keys.

They're probably an hexadecimal hash, so you can use the regular expression
/^[0-9a-f]+$/i

If the hash is not hexadecimal, you can still limit its size, and probably restrict the characters allowed (alphanumerical? or custom regexp?).

EDIT: Being GET or POST data changes nothing on validation. An application even has to validate other inputs, like updloaded files' content.
0

#3 User is offline   François Gannaz 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 87
  • Joined: 24-November 09

Posted 23 November 2011 - 05:06 AM

at 2011/11/22 09:18pm, yangmls wrote the comment:

Quote

Thank you for your excellent article

I have some different ideas

In SQL Injections

$comments = Comment::model->findAll(array("post_id" => $postId, "author_id" => $ids));

I think it has no effect...
the correct way is to use findAllByAttributes

That was a typo, I fixed it. Thanks.

Quote

In Authentication

I think a good solution is to generate a random salt in db [...]

Yes, we need to salt passwords, but that's not enough. What the library PHPass does is applying random salting, choosing the best encrypting algorithm available, iterating it a high number of times... What you propose is a good first step, but it is less secure than this library, whose author is a security expert, also the author of the famous "john the ripper". And even your simple code isn't not simpler than my suggested code that uses PHPass.

I'll update the article to explain in a few words what the library does.
0

#4 User is offline   Sammaye 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 102
  • Joined: 24-June 11

Posted 23 November 2011 - 07:57 AM

When allowing users to edit records I think one thng to state in the article is how to use bizrules and findbypk() to prevent users from changing rows that they do not own. Also I have found it much more secure to only ever do a initial find on PK when trying to find a record that a user is editing (when going to save or something) since finding on other attributes could lead to ambiquity opening a potential (small but possible) door for users to effect the bizrules in such a manner so as to change records that they do not own or a record not associated with that particular page/section/whatever.

Dunno if this is security or common sense though to be honest.
0

#5 User is offline   François Gannaz 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 87
  • Joined: 24-November 09

Posted 23 November 2011 - 11:34 AM

View PostSammaye, on 23 November 2011 - 07:57 AM, said:

When allowing users to edit records I think one thng to state in the article is how to use bizrules and findbypk() to prevent users from changing rows that they do not own. Also I have found it much more secure to only ever do a initial find on PK when trying to find a record that a user is editing (when going to save or something) since finding on other attributes could lead to ambiquity opening a potential (small but possible) door for users to effect the bizrules in such a manner so as to change records that they do not own or a record not associated with that particular page/section/whatever.

Dunno if this is security or common sense though to be honest.


Hi Sammaye

What you describe is the domain of Authorization, i.e. ensuring users only have access to the resources they have permissions on.

The wiki page I wrote completely skips this subject for now. It could be a section of the page, but I believe it should be on a separate page. It is a lengthy subject, and the way Yii implements it is rather complex. Maybe this wiki page could contain links to the official guide and to other wiki pages on this. I'll look for resources.
0

#6 User is offline   yangmls 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 10
  • Joined: 15-April 11

Posted 23 November 2011 - 08:21 PM

View PostFrançois Gannaz, on 23 November 2011 - 05:06 AM, said:

at 2011/11/22 09:18pm, yangmls wrote the comment:
That was a typo, I fixed it. Thanks.


Yes, we need to salt passwords, but that's not enough. What the library PHPass does is applying random salting, choosing the best encrypting algorithm available, iterating it a high number of times... What you propose is a good first step, but it is less secure than this library, whose author is a security expert, also the author of the famous "john the ripper". And even your simple code isn't not simpler than my suggested code that uses PHPass.

I'll update the article to explain in a few words what the library does.

Yes, I read the source of the PHPass, I find it use php crypt function to encrypt and put the encrypted password as the salt.

Yeah, You are right, but I just want to express the importance of salt.

Anyway, thank your for reply patiently.
0

#7 User is offline   guedalia 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 2
  • Joined: 19-November 12

Posted 20 November 2012 - 08:41 AM

FYI I think there is a typo. In:

<?php
$r = Yii::app()->db
    ->createCommand($sql)
    ->queryAll(array(':param1' => $value1));


It seems that you cannot bind by passing an array to queryAll, but only via bindParam.

The above code would work with execute.
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users