Wiki articles tagged with "security"

Sometimes you need to force a user to change their password after x number of days. This article describes how to implement this using a filter, ChangePasswordFilter.

How to create a simple (non-RBAC) authorization system

Update: This wiki has been rewritten to be in line with Yii 1.1.14. Since many of the detailed complexities are now handled by Yii, the article focuses on how the crypt() built-in function works and why it's important to use it correctly.

• iteration_count_log2 controls the number of iterations for key stretching. A setting of 8 means the hash algorithm will be applied 2^⁸ = 256 times. This setting should be kept between 4 and 31.
• portable_hashes controls whether portable hashes should be used or not. Portable hashes are salted MD5 hashes prefixed by $P$.

Authentication and Authorization is a good tutorial. Among other topics, it describes basic aspects of Yii's RBAC implementation. But however hard I read the tutorial, I couldn't understand how exactly the hierarchy works. I found how to define authorization hierarchy, how business rules are evaluated, how to configure a...

• Validate the user input (see below for details).
• Protect (escape) your application output according to context (see below for a few output types, mostly HTML and SQL).
• Test your application in debug mode.
  Set the constant YII_DEBUG to true (by default, it is defined in index.php) and put alongside error_reporting(E_ALL);. Then errors and warnings will stop the execution an...