Difference between #4 and #5 of
Understanding "Safe" Validation Rules

Revision #5 has been created by Lensi on May 16, 2011, 9:03:56 AM with the memo:

spelling
« previous (#4) next (#6) »

Changes

Title unchanged

Understanding "Safe" Validation Rules

Category unchanged

FAQs

Yii version unchanged

Tags unchanged

Forms, Validation, Safe, Massive Assignment

Content changed

[...]
Though it may seem obvious to accept all the fields built into a form, during the controller's action (where Massive Assignment is taking place), Yii has no way of knowing which actual fields were part of a the form. and which are from a bad guy who is **synthesizing* form input with a contrived POST in order to fool the application.

This is protecting against two scenarios:

1. Some models have attributes that are legitimate (in general), but not in a specific form. For instance, a change-your-password form for a user should accept the `password` and `passwordRepeat` attributes, but not the `isAdmin` attribute that makes him an administrator of the application. For a changePassword scenario, isAdmin should be marked expilicitly `'unsafe'`.

2. All model objects based on [CActiveRecord] have internal housekeeping attributes that are subject to shenanigans if the bad guy were able to make assignments to them. Some of these include:

* `$model->isnewrecord`
* `$model->dbcriteria`
[...]
75 0
46 followers
Viewed: 181 941 times
Version: 1.1
Category: FAQs
Tags: Forms, Massive Assignment, Safe, understanding, validation
Written by: Steve Friedl
Last updated by: Gismo
Created on: Mar 22, 2011
Last updated: 11 years ago
Update Article
Revert to #4 | Revert to #5

Revisions

View all history