[François Gannaz]

Hi

This topic should hold the questions and suggestions about the wiki article "How to write secure Yii applications". Quoting the rules written at the bottom of every wiki page:

Quote

Please only use comments to help explain the above article.
If you have any questions, please ask in the forum, instead.

I'll begin with a reply to the two comments that were already posted.

[François Gannaz]

Quote

Thanks a lot for this article am going to visit my app and give it more enhancement concerning security. I have one question though. I have an app for listings where users post listings and an email is send to them with a link to click for activation how can I validate this since it's coming through GET variable.

There are 2 kinds of input in your application: listings and confirmation keys. If I didn't misunderstand, your question is about the confirmation keys.

They're probably an hexadecimal hash, so you can use the regular expression

/^[0-9a-f]+$/i

If the hash is not hexadecimal, you can still limit its size, and probably restrict the characters allowed (alphanumerical? or custom regexp?).

EDIT: Being GET or POST data changes nothing on validation. An application even has to validate other inputs, like updloaded files' content.

[François Gannaz]

at 2011/11/22 09:18pm, yangmls wrote the comment:

Quote

Thank you for your excellent article

I have some different ideas

In SQL Injections

$comments = Comment::model->findAll(array("post_id" => $postId, "author_id" => $ids));

I think it has no effect...
the correct way is to use findAllByAttributes

That was a typo, I fixed it. Thanks.

Quote

In Authentication

I think a good solution is to generate a random salt in db [...]

Yes, we need to salt passwords, but that's not enough. What the library PHPass does is applying random salting, choosing the best encrypting algorithm available, iterating it a high number of times... What you propose is a good first step, but it is less secure than this library, whose author is a security expert, also the author of the famous "john the ripper". And even your simple code isn't not simpler than my suggested code that uses PHPass.

I'll update the article to explain in a few words what the library does.

[Sammaye]

When allowing users to edit records I think one thng to state in the article is how to use bizrules and findbypk() to prevent users from changing rows that they do not own. Also I have found it much more secure to only ever do a initial find on PK when trying to find a record that a user is editing (when going to save or something) since finding on other attributes could lead to ambiquity opening a potential (small but possible) door for users to effect the bizrules in such a manner so as to change records that they do not own or a record not associated with that particular page/section/whatever.

Dunno if this is security or common sense though to be honest.

[François Gannaz]

Sammaye, on 23 November 2011 - 07:57 AM, said:

When allowing users to edit records I think one thng to state in the article is how to use bizrules and findbypk() to prevent users from changing rows that they do not own. Also I have found it much more secure to only ever do a initial find on PK when trying to find a record that a user is editing (when going to save or something) since finding on other attributes could lead to ambiquity opening a potential (small but possible) door for users to effect the bizrules in such a manner so as to change records that they do not own or a record not associated with that particular page/section/whatever.

Dunno if this is security or common sense though to be honest.

Hi Sammaye

What you describe is the domain of Authorization, i.e. ensuring users only have access to the resources they have permissions on.

The wiki page I wrote completely skips this subject for now. It could be a section of the page, but I believe it should be on a separate page. It is a lengthy subject, and the way Yii implements it is rather complex. Maybe this wiki page could contain links to the official guide and to other wiki pages on this. I'll look for resources.

[yangmls]

François Gannaz, on 23 November 2011 - 05:06 AM, said:

at 2011/11/22 09:18pm, yangmls wrote the comment:
That was a typo, I fixed it. Thanks.


Yes, we need to salt passwords, but that's not enough. What the library PHPass does is applying random salting, choosing the best encrypting algorithm available, iterating it a high number of times... What you propose is a good first step, but it is less secure than this library, whose author is a security expert, also the author of the famous "john the ripper". And even your simple code isn't not simpler than my suggested code that uses PHPass.

I'll update the article to explain in a few words what the library does.

Yes, I read the source of the PHPass, I find it use php crypt function to encrypt and put the encrypted password as the salt.

Yeah, You are right, but I just want to express the importance of salt.

Anyway, thank your for reply patiently.

[guedalia]

FYI I think there is a typo. In:

<?php
$r = Yii::app()->db
    ->createCommand($sql)
    ->queryAll(array(':param1' => $value1));

It seems that you cannot bind by passing an array to queryAll, but only via bindParam.

The above code would work with execute.