Difference between #13 and #15 of
How to write secure Yii1 applications

Revision #15 has been created by CeBe on Jun 20, 2013, 11:47:48 PM with the memo:

fixed example code of CJavaScript::encode
« previous (#13) next (#16) »

Changes

Title unchanged

How to write secure Yii applications

Category unchanged

How-tos

Yii version unchanged

Tags unchanged

security, authorization, authentication, XSS, SQL injection

Content changed

[...]
<?php
$messages = array("Rock'n roll", 'Say "hello"');
$title = "D'accord";
Yii::app()->clientScript->registerScript('snippet', "
function displayMsg() {
var messages = <?php echo" . CJavaScript::encode($messages); ?> . "; var title = '<?php echo" . CJavaScript::quote($title); ?> . "';
// ...
}
[...]
```php
<?php
// still lacks validation (see "Validating user input" above), but more secure MyModel::model()->findByPk((int)$_GET['id'])->delete(); // uses validation with a type cast
 
$comments = Comment::model->findAllByAttributes(array('user_id' => (int)$_GET['id']);
```

This is a general principle: if you build your SQL condition in pure text, you take more risks than a more PHP approach.
For most DB functions, **prefer array parameters to string parameters**.
Here is another example using PHP arrays:
[...]
80 0
114 followers
Viewed: 310 987 times
Version: 1.1
Category: How-tos
Tags: authentication, authorization, security, SQL injection, XSS
Written by: François Gannaz
Last updated by: François Gannaz
Created on: Nov 22, 2011
Last updated: 2 years ago
Update Article
Revert to #13 | Revert to #15

Revisions

View all history