Difference between #6 and #7 of
Understanding "Safe" Validation Rules

Revision #7 has been created by resurtm on Aug 2, 2011, 11:41:54 AM with the memo:

Fixed illegal Markdown bold
« previous (#6) next (#8) »

Changes

Title unchanged

Understanding "Safe" Validation Rules

Category unchanged

FAQs

Yii version unchanged

Tags unchanged

Forms, Validation, Safe, Massive Assignment

Content changed

[...]
After all, if the developer configures the form with certain fields, shouldn't they all just be copied to the `$model` after validation has passed? Why isn't this good enough?

Because Yii is protecting you from security surprises.

Though it may seem obvious to accept all the fields built into a form, during the controller's action (where Massive Assignment is taking place), Yii has no way of knowing which actual fields were part of a the form. and which are from a bad guy who is
**synthesizing* form input with a contrived POST in order to fool the application.

This is protecting against two scenarios:

1. Some models have attributes that are legitimate (in general), but not in a specific form. For instance, a change-your-password form for a user should accept the `password` and `passwordRepeat` attributes, but not the `isAdmin` attribute that makes him an administrator of the application. For a changePassword scenario, isAdmin should be marked explicitly `'unsafe'`.
[...]
73 0
45 followers
Viewed: 130 806 times
Version: 1.1
Category: FAQs
Written by: Steve Friedl
Last updated by: Gismo
Created on: Mar 22, 2011
Last updated: 5 years ago
Update Article

Revisions

View all history