Difference between #11 and #12 of
Understanding "Safe" Validation Rules

Revision #12 has been created by Gismo on Oct 18, 2012, 8:29:50 AM with the memo:

Add russian version
« previous (#11) next (#13) »


Title unchanged

Understanding "Safe" Validation Rules

Category unchanged


Yii version unchanged

Tags unchanged

Forms, Validation, Safe, Massive Assignment, understanding

Content changed

and perhaps others. It's rather scary to think what could happen if the bad guy were able to manipulate these with malicious input, but because they are not mentioned in any validation rule - `'safe'` or otherwise - they are protected.

Yii takes the conservative approach that attributes are assumed to be unsafe unless the developer explicitly makes them so (a "default deny" paradigm), rather than the easier but more dangerous "default allow".

It's wise to review the Rules in your model from time to time to ensure that you're not allowing things you should not (especially when scenarios are in play), because it's not uncommon to wildly mark things as safe during a bout of validation problems without realizing that this actaully reduces the security of the application.

Russian Version: [The PHP Times](http://phptime.ru/blog/yii/23.html)
73 0
Viewed: 130 997 times
Version: 1.1
Category: FAQs
Written by: Steve Friedl
Last updated by: Gismo
Created on: Mar 22, 2011
Last updated: 5 years ago
Update Article


View all history