Difference between #7 and #8 of
Understanding "Safe" Validation Rules

Revision #8 has been created by resurtm on Aug 2, 2011, 11:43:06 AM with the memo:

Fixed illegal Markdown bold
« previous (#7) next (#9) »


Title unchanged

Understanding "Safe" Validation Rules

Category unchanged


Yii version unchanged

Tags unchanged

Forms, Validation, Safe, Massive Assignment

Content changed

After all, if the developer configures the form with certain fields, shouldn't they all just be copied to the `$model` after validation has passed? Why isn't this good enough?

Because Yii is protecting you from security surprises.

Though it may seem obvious to accept all the fields built into a form, during the controller's action (where Massive Assignment is taking place), Yii has no way of knowing which actual fields were part of a the form. and which are from a bad guy who is
**synthesizing** form input with a contrived POST in order to fool the application.

This is protecting against two scenarios:

1. Some models have attributes that are legitimate (in general), but not in a specific form. For instance, a change-your-password form for a user should accept the `password` and `passwordRepeat` attributes, but not the `isAdmin` attribute that makes him an administrator of the application. For a changePassword scenario, isAdmin should be marked explicitly `'unsafe'`.
72 0
Viewed: 128 957 times
Version: 1.1
Category: FAQs
Written by: Steve Friedl
Last updated by: Gismo
Created on: Mar 22, 2011
Last updated: 5 years ago
Update Article


View all history