Understanding "Safe" Validation Rules

FAQs

Forms, Validation, Safe, Massive Assignment, understanding

A common source of confusion among new Yii users is how the `'safe'` validator works, how it works with other validators, and why it's necessary in the first place. This article means to clear this up this confusion, as well as explain the notion of Massive Assignment. Summary: A model's validation rules serve **two** purposes: 1. IEnsure that fields entered in a form are entered properly
2. Define which form fields are allowed to be assigned to a $model variableValidation Rules
----------------
The obvious purpose for validators is to iensure that users enter good data into application forms.

If a field should be no more than 16 characters long, if it should reflect a unique value in a table, or it must look like an email address, Yii provides a rich set of validators to help enforce form validation.Because Yii is protecting you from security surprises.

Though it may seem obvious to accept all the fields built into a form, during the controller's action (where Massive Assignment is taking place), Yii has no way of knowing which actual fields were part of a the form. and which are from a bad guy who is **synthesizing** form input with a contrived POST in order to fool the application. This is protecting against two scenarios: 1. Some models have attributes that are legitimate (in general), but not in a specific form. For instance, a change-your-password form for a user should accept the `password` and `passwordRepeat` attributes, but not the `isAdmin` attribute that makes him an administrator of the application. For a changePassword scenario, isAdmin should be marked expilicitly `'unsafe'`. 2. All model objects based on [CActiveRecord] have internal housekeeping attributes that are subject to shenanigans if the bad guy were able to make assignments to them. Some of these include: * `$model->isnewrecord` * `$model->dbcriteria` * `$model->primarykey` * `$model->tablealias` * `$model->scenario`

and perhaps others. It's rather scary to think what could happen if the bad guy were able to manipulate these with malicious input, but because they are not mentioned in any validation rule - `'safe'` or otherwise - they are protected.Yii takes the conservative approach that attributes are assumed to be unsafe unless the developer explicitly makes them so (a "default deny" paradigm), rather than the easier but more dangerous "default allow".

It's wise to review the Rules in your model from time to time to iensure that you're not allowing things you should not (especially when scenarios are in play), because it's not uncommon to wildly mark things as safe during a bout of validation problems without realizing that this actaully reduces the security of the application.
 
 
Russian Version: [Правило валидации "safe", для тех, кто в танке](http://phptime.ru/blog/yii/23.html)