Yii Framework Wiki
Difference between
#8 and
#9 of
Understanding "Safe" Validation Rules
Revision #9 has been created by GOsha on Oct 30, 2011, 8:44:00 PM with the memo:
added "understanding" tag to the article
« previous (#8) next (#10) »
Changes
Title unchanged
Understanding "Safe" Validation Rules
Category unchanged
FAQs
Yii version unchanged
Tags changed
Forms, Validation, Safe, Massive Assignment, understanding
Content unchanged
[...]
and perhaps others. It's rather scary to think what could happen if the bad guy were able to manipulate these with malicious input, but because they are not mentioned in any validation rule - `'safe'` or otherwise - they are protected.Yii takes the conservative approach that attributes are assumed to be unsafe unless the developer explicitly makes them so (a "default deny" paradigm), rather than the easier but more dangerous "default allow".
It's wise to review the Rules in your model from time to time to insure that you're not allowing things you should not (especially when scenarios are in play), because it's not uncommon to wildly mark things as safe during a bout of validation problems without realizing that this actaully reduces the security of the application.
46 followers
Viewed: 186 637 times
Version: 1.1
Category: FAQs
Written by: Steve Friedl
Last updated by: Gismo
Created on: Mar 22, 2011
Last updated: 12 years ago
Revisions
View all history-
12 years ago by
Gismo edit russian version anchor
-
12 years ago by
Gismo Add russian version
-
12 years ago by
spinningarrow insure -> ensure
-
12 years ago by
spinningarrow minor edit (insure -> ensure)
-
13 years ago by
GOsha added "understanding" tag to the article
-
13 years ago by
resurtm Fixed illegal Markdown bold
-
13 years ago by
resurtm Fixed illegal Markdown bold
-
13 years ago by
Boaz small typo - extra word removed
-
13 years ago by
Lensi spelling
- 13 years ago by qiang