Discussion on the wiki article "How to write secure Yii applications"

Hi

This topic should hold the questions and suggestions about the wiki article "How to write secure Yii applications". Quoting the rules written at the bottom of every wiki page:

I’ll begin with a reply to the two comments that were already posted.

There are 2 kinds of input in your application: listings and confirmation keys. If I didn’t misunderstand, your question is about the confirmation keys.

They’re probably an hexadecimal hash, so you can use the regular expression


/^[0-9a-f]+$/i

If the hash is not hexadecimal, you can still limit its size, and probably restrict the characters allowed (alphanumerical? or custom regexp?).

EDIT: Being GET or POST data changes nothing on validation. An application even has to validate other inputs, like updloaded files’ content.

at 2011/11/22 09:18pm, yangmls wrote the comment:

That was a typo, I fixed it. Thanks.

Yes, we need to salt passwords, but that’s not enough. What the library PHPass does is applying random salting, choosing the best encrypting algorithm available, iterating it a high number of times… What you propose is a good first step, but it is less secure than this library, whose author is a security expert, also the author of the famous “john the ripper”. And even your simple code isn’t not simpler than my suggested code that uses PHPass.

I’ll update the article to explain in a few words what the library does.

When allowing users to edit records I think one thng to state in the article is how to use bizrules and findbypk() to prevent users from changing rows that they do not own. Also I have found it much more secure to only ever do a initial find on PK when trying to find a record that a user is editing (when going to save or something) since finding on other attributes could lead to ambiquity opening a potential (small but possible) door for users to effect the bizrules in such a manner so as to change records that they do not own or a record not associated with that particular page/section/whatever.

Dunno if this is security or common sense though to be honest.

Hi Sammaye

What you describe is the domain of Authorization, i.e. ensuring users only have access to the resources they have permissions on.

The wiki page I wrote completely skips this subject for now. It could be a section of the page, but I believe it should be on a separate page. It is a lengthy subject, and the way Yii implements it is rather complex. Maybe this wiki page could contain links to the official guide and to other wiki pages on this. I’ll look for resources.

Yes, I read the source of the PHPass, I find it use php crypt function to encrypt and put the encrypted password as the salt.

Yeah, You are right, but I just want to express the importance of salt.

Anyway, thank your for reply patiently.

FYI I think there is a typo. In:


<?php

$r = Yii::app()->db

    ->createCommand($sql)

    ->queryAll(array(':param1' => $value1));

It seems that you cannot bind by passing an array to queryAll, but only via bindParam.

The above code would work with execute.