Difference between #7 and #8 of
Understanding "Safe" Validation Rules

Revision #8 has been created by resurtm on Aug 2, 2011, 11:43:06 AM with the memo:

Fixed illegal Markdown bold
« previous (#7) next (#9) »

Changes

Title unchanged

Understanding "Safe" Validation Rules

Category unchanged

FAQs

Yii version unchanged

Tags unchanged

Forms, Validation, Safe, Massive Assignment

Content changed

[...]
After all, if the developer configures the form with certain fields, shouldn't they all just be copied to the `$model` after validation has passed? Why isn't this good enough?

Because Yii is protecting you from security surprises.

Though it may seem obvious to accept all the fields built into a form, during the controller's action (where Massive Assignment is taking place), Yii has no way of knowing which actual fields were part of a the form. and which are from a bad guy who is **synthesizing** form input with a contrived POST in order to fool the application.

This is protecting against two scenarios:

1. Some models have attributes that are legitimate (in general), but not in a specific form. For instance, a change-your-password form for a user should accept the `password` and `passwordRepeat` attributes, but not the `isAdmin` attribute that makes him an administrator of the application. For a changePassword scenario, isAdmin should be marked explicitly `'unsafe'`.
[...]
75 0
46 followers
Viewed: 181 926 times
Version: 1.1
Category: FAQs
Tags: Forms, Massive Assignment, Safe, understanding, validation
Written by: Steve Friedl
Last updated by: Gismo
Created on: Mar 22, 2011
Last updated: 11 years ago
Update Article
Revert to #7 | Revert to #8

Revisions

View all history