Yii Framework Forum: Comments on the wiki post "Yii Security-extended guide" - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Comments on the wiki post "Yii Security-extended guide" Rate Topic: -----

#1 User is offline   Fran├žois Gannaz 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 87
  • Joined: 24-November 09

Posted 20 November 2011 - 06:49 PM

This is an answer to a comment by the author of the article.


Hi Francois.Gannaz, Thank you for your comment.

Sql injection:

1. Ok,
2. I said avoid writing SQL in controller layer, not saying "do not write". do you not agree that placing SQL statement in Model layer is a better practice?
3. Are find(),findAll() not like prepared statements? if not, then this is a security issue in Yii framework, don't you agree?
4. I admit that this was wrongly explained.

Magic URl,

1. does it matter what is called. I believe in 24 Sins book, it is called so.
2. I only suggest that POST is more secure than GET in some way, I do not say in any way that it is secure.

If you have any other thoughts or ideas, you are very welcome to update and improve this article to share your knowledge.


1. At least we agree on input validation.
2. Putting SQL in the model instead of the controller is indeed a good practice, but it has no impact on security.
3. So you admit you don't know how `find()` works. Thank you for being honest, but can you understand that gives an insecure feeling to your whole text. `find()` methods are just helpers that issue a select and put the result in objects. It's up to the developer to use prepared statements or not. For instance, prepared statements can't be used to check is a value is in a list: `find('a IN (' . join(',', $array) . ')')`.
4. You deleted it.

I don't want to be rude, but, as I said, I believe this kind of subject should not be treated by someone who lacks experience (especially in security, but also in Yii). People could feel secure once they have followed the recommendations, and they shouldn't be.

You're right when you say I should improve the article. But it would take a long time, especially since I'm not an native English speaker, and I'm not a specialist on security (though I have some experience). Maybe I'll try anyway.

Share this topic:

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users