Hi!
Where escape user input? Should I use strip_tags and CHtml:encode in beforeSave()? How protect
Hi!
Where escape user input? Should I use strip_tags and CHtml:encode in beforeSave()? How protect
in the model rules
array('username', 'filter', 'filter' => 'strip_tags'),
you can also trim
array('username', 'filter', 'filter' => 'trim'),
And use CHtml::encode in views?
I would say save the data as it is and encode it when displaying the data in views
It’s better to add filter in rules with encoding to make it once before save data. Often you needn’t do it every time.
array( 'field', 'filter', 'filter' => array( 'CHtml', 'encode' ) )
You should strip tags in the rules to prevent malicious user input saving to your database and you should also encode it in your view
And you should definitely not use strip tags.
A lot of different ideas. Is it possible to auto CHtml::encode all echo data?
as I said always always have a copy of the original data.
// or you could do this
username - original data
username_filtered - filtered data
What for? For example the engine of this forum don’t store original data. And strip all xss and not allowed tags before save.
You can use CHtmlPurifier filter to clear any malicious script from input
public function rules()
{
return array(
array('myattribute','filter','filter'=>array($obj=new CHtmlPurifier(),'purify')),
);
}