Revision #22 has been created by bingjie2680 on Nov 22, 2011, 10:17:14 AM with the memo:
« previous (#15) next (#23) »
Yii Security-extended guide
security, tutorial, tips
[...]"Select * from User where username='john' or 1=1";
and this query will return all the user data in your table, so attacker can do whatever they want with the data. This is a simple example, but it demonstrates very well of how the attack happens.
what do you do to prevent these attacks in order to protect your data, here
<li>Input validation, do not trust any data from client side, always validate.</li>
<li>Avoid write raw SQL statement in controller, if you have to, pay great attention to the input.</li>
Place the query in Model class, and use building methods like find(),findAll() etc.</li>.</li>
<li>Use Criteria builder to query data from your database, because all strings that are fed into the criteria are treated as strings, so database engine will not run them as sql language
[...]or similar. It becomes clear now if your database design is just simply numerically increase the id for image records, then the obvious attack could happen just by simply changing the id value in the URL and remove the image record owned by another user, therefore this is a sinful code.
So what are the suggestions:
<li>Authorized the operation by checking the role of the user, consider using <a href="http://www.yiiframework.com/doc/guide/1.1/en/topics.auth ">Role-Based Access Control (RBAC)</a>.
<li>Avoid using get method when the result has side effect on the server side,use post instead and always check if it is a post request by checking: