Revision #5 has been created by Lensi on May 16, 2011, 9:03:56 AM with the memo:
« previous (#4) next (#6) »
Understanding "Safe" Validation Rules
Forms, Validation, Safe, Massive Assignment
[...]Though it may seem obvious to accept all the fields built into a form, during the controller's action (where Massive Assignment is taking place), Yii has no way of knowing which actual fields were part of a the form. and which are from a bad guy who is **synthesizing* form input with a contrived POST in order to fool the application.
This is protecting against two scenarios:
1. Some models have attributes that are legitimate (in general), but not in a specific form. For instance, a change-your-password form for a user should accept the `password` and `passwordRepeat` attributes, but not the `isAdmin` attribute that makes him an administrator of the application. For a changePassword scenario, isAdmin should be marked exp
2. All model objects based on [CActiveRecord] have internal housekeeping attributes that are subject to shenanigans if the bad guy were able to make assignments to them. Some of these include: