Yii Framework Forum: Obfuscate Form Fields Name And Id. - Yii Framework Forum

Jump to content

  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

Obfuscate Form Fields Name And Id.

#1 User is offline   NCS_One 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 56
  • Joined: 24-August 11

Posted 29 January 2013 - 12:42 AM

Hi,

The current way of setting the form fields name and id make it too easy for custom bots.
I suggest some uniq id.
The form could store this uniq ids on the user session.
0

#2 User is offline   Hyprion 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 20
  • Joined: 07-October 09
  • Location:Netherlands

Posted 29 January 2013 - 04:35 AM

I disagree, Yii should keep using forms the way they are now. If you choose to make a form public then you are responsible to address the problem with custom bots. Besides your solution might work for a few bots, not all of them.

TIP: use captcha
0

#3 User is offline   Keith 

  • Elite Member
  • Yii
  • Group: Moderators
  • Posts: 1,316
  • Joined: 04-March 10
  • Location:UK

Posted 29 January 2013 - 09:51 AM

It definitely doesn't belong in the core, but an EObfuscatedActiveForm extension (or some such) would be a useful tool.
0

#4 User is online   samdark 

  • Having fun
  • Yii
  • Group: Yii Dev Team
  • Posts: 3,154
  • Joined: 17-January 09
  • Location:Russia

Posted 30 January 2013 - 03:40 AM

It's useful sometimes but if you've enabled CSRF tokens, the problem it solves doesn't exist.
Yii 1.1 Application Development Cookbook

Enjoying Yii? Star us at github: 1.1 and 2.0.
0

#5 User is offline   NCS_One 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 56
  • Joined: 24-August 11

Posted 30 January 2013 - 05:40 PM

Good points.

So whats the best way, no captcha please, to secure a public form?
0

#6 User is online   samdark 

  • Having fun
  • Yii
  • Group: Yii Dev Team
  • Posts: 3,154
  • Joined: 17-January 09
  • Location:Russia

Posted 31 January 2013 - 10:39 AM

Enable CSRF-token for the beginning and see if it's still an issue.
Yii 1.1 Application Development Cookbook

Enjoying Yii? Star us at github: 1.1 and 2.0.
0

#7 User is offline   NCS_One 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 56
  • Joined: 24-August 11

Posted 05 February 2013 - 07:08 PM

View Postsamdark, on 31 January 2013 - 10:39 AM, said:

Enable CSRF-token for the beginning and see if it's still an issue.


Enabling CSRF doesn't prevent bots.
0

#8 User is offline   Mike 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 3,013
  • Joined: 06-October 08
  • Location:Upper Palatinate

Posted 06 February 2013 - 02:55 AM

@samdark:
I'm not really for obfuscating. But in some scenarios i find it better to have form field names like "query" instead of "SearchForm[query]". Consider such a search form which you want to submit via GET. So you want your search results to be shown under a nicer URL like: ...?query=myQueryString. As a workaround i now render custom form fields. But then i can't use the gimmicks of CActiveForm.

I'm not asking for changing the default which is fine for most cases. I just want more freedom for the experienced developer who knows what he is doing.

So the question is: Will there be a way in 2.0 to modify the way, Yii generates form input names?
0

#9 User is online   samdark 

  • Having fun
  • Yii
  • Group: Yii Dev Team
  • Posts: 3,154
  • Joined: 17-January 09
  • Location:Russia

Posted 06 February 2013 - 03:43 AM

There's a way now: Gii templates.
Yii 1.1 Application Development Cookbook

Enjoying Yii? Star us at github: 1.1 and 2.0.
0

#10 User is offline   Mike 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 3,013
  • Joined: 06-October 08
  • Location:Upper Palatinate

Posted 06 February 2013 - 03:46 AM

Hmm. Sorry, but i don't understand. How do Gii templates help me to achieve that:

<?php $form = $this->beginWidget('CActiveForm', ...) ?>
<?php echo $form->textField($model, 'query'); ?>


Gives me a input field with name "query" instead of "SearchForm[query]"?
0

#11 User is online   samdark 

  • Having fun
  • Yii
  • Group: Yii Dev Team
  • Posts: 3,154
  • Joined: 17-January 09
  • Location:Russia

Posted 06 February 2013 - 07:07 AM

Well, not with ActiveForm :)
Yii 1.1 Application Development Cookbook

Enjoying Yii? Star us at github: 1.1 and 2.0.
0

#12 User is offline   Mike 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 3,013
  • Joined: 06-October 08
  • Location:Upper Palatinate

Posted 06 February 2013 - 09:15 AM

I wonder if it's not better to let the models generate their form names then. I think, such a change would make form handling more flexible and still can easily provide backwards compatibility. What do you think?

This way the OP could also create obfuscated form inputs if he wants to. This is really an advanced feature, though. The developer must understand the consequences (e.g. problems if he submits several models from 1 form).
0

#13 User is online   samdark 

  • Having fun
  • Yii
  • Group: Yii Dev Team
  • Posts: 3,154
  • Joined: 17-January 09
  • Location:Russia

Posted 06 February 2013 - 09:34 AM

I don't think it's a good idea to couple form generation and models.
Yii 1.1 Application Development Cookbook

Enjoying Yii? Star us at github: 1.1 and 2.0.
0

#14 User is offline   Mike 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 3,013
  • Joined: 06-October 08
  • Location:Upper Palatinate

Posted 06 February 2013 - 09:39 AM

We already do so with form labels. In some way you can even say that a form input name is just another property of a model. So i would not consider this a big break in MVC, rather a pragmatic decision. At least i can not think of a better way to make this more flexible.
1

#15 User is offline   Mike 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 3,013
  • Joined: 06-October 08
  • Location:Upper Palatinate

Posted 06 February 2013 - 10:16 AM

I see there's a similar issue here: https://github.com/y.../yii/issues/470 even though it's not exactly the same.

Still i disagree with the final conclusion. In my opinion we should not worship MVC as the golden calf if there's good reason to lessen the strict paradigm slightly. I'd say that this is such a case: the framework forces me to do things the Yii way. If i don't (=use my custom form inputs) i can't use many features anymore (e.g. clientside and AJAX based validation). If this can be solved with a minor break in MVC i can't see, why we should not. This is just an unneccesary restriction.
0

#16 User is offline   yJeroen 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 94
  • Joined: 06-September 11
  • Location:The Netherlands

Posted 06 February 2013 - 01:25 PM

Mike, can't you make something similar to the CActiveForm class that enables you to do this?

I think, if I understand you correctly, you'd need:
  • A class for the HTML elements that create attributeName names, instead of Model[attributename] names
  • A class/method then you can use to do something like $model->attributes = MikeCAF::transformGetsOfModel('modelName');


..just brainstorming :)
0

#17 User is offline   Mike 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 3,013
  • Joined: 06-October 08
  • Location:Upper Palatinate

Posted 06 February 2013 - 01:29 PM

Of course - but then i'd also have to implement my custom CHtml. That's not what i'd expect from an easily extensible framework :D
0

#18 User is offline   qiang 

  • Yii Project Lead
  • Yii
  • Group: Yii Dev Team
  • Posts: 5,857
  • Joined: 04-October 08
  • Location:DC, USA

Posted 07 February 2013 - 08:40 AM

@mike: the active input methods allow you to explicitly specify the 'name' attribute. Does this solve your problem?
0

#19 User is offline   Mike 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 3,013
  • Joined: 06-October 08
  • Location:Upper Palatinate

Posted 07 February 2013 - 09:05 AM

Thanks, i didn't think of that. But unfortunately it does not work: If i set the 'name' attribute, it also sets this as the 'id' of the input element. This breaks the clientside configuration of CActiveForm. For example if i have a model User with field email, the input is <input id="email" name="email" but the inline js configures it like {'id':'User_email'.
0

#20 User is offline   qiang 

  • Yii Project Lead
  • Yii
  • Group: Yii Dev Team
  • Posts: 5,857
  • Joined: 04-October 08
  • Location:DC, USA

Posted 07 February 2013 - 09:45 AM

You also need to set 'inputID' in $htmlOptions for the error() method.
0

Share this topic:


  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users