Difference between #22 and #23 of
Yii Security-extended guide

Revision #23 has been created by bingjie2680 on Nov 22, 2011, 10:22:06 AM with the memo:

correct
« previous (#22)

Changes

Title unchanged

Yii Security-extended guide

Category unchanged

Tips

Yii version unchanged

Tags unchanged

security, tutorial, tips

Content changed

[...]
<li>Input validation, do not trust any data from client side, always validate.</li>
<li>Avoid write raw SQL statement in controller, if you have to, pay great attention to the input.</li>
<li>Use prepared statment,in Yii, use methods in activeRecord or CDbCommand to pass $params.</li>
</ol>

**Magic Urls**

Another attack that you should pay attention to is the so called Magic Url. this attack happens when developers use parameters in the url as input and execute some operation on the server side. In particular, the architecture of Yii framework has opens the door to this attack. Without proper authentication guides and other countermeasures, attackers may be able to delete all the data you have in your database. so let's look at a concrete example:

Imagin you have a ImageController which contains common methods:
[...]
6 6
12 followers
Viewed: 30 682 times
Version: 1.1
Category: Tips
Tags: security, tips, tutorial
Written by: bingjie2680
Last updated by: bingjie2680
Created on: Nov 17, 2011
Last updated: 12 years ago
Update Article
Revert to #22 | Revert to #23

Revisions

View all history