开发者

cakePHP security

问答 作者:

I am thinking of using cakePHP to build a web app. My question is how much of security stuff will I have to code myself to 开发者_如何学Goprevent (SQL injection etc)? What security stuff cakePHP takes care of by itself and what will I have to code?

cake does a lot of things automatically but some not. depending on how secure you want you forms you should also consider "white-listing": details

the easiest method would be to use the security component.

CakePHP itself is pretty good at it, you will not have to worry about what is submitted. But if you are using the data, everything will be of course unescaped. So a Form built from the Helper classes will be XSS safe, but once you are printing out what is int $this->data you must know and take care to escape it. h() is an often used alias for htmlspecialchars().

CakePHP has no protection against XSRF out of the box.

For ACL it provides you some components.

For sure it depends what is your code style and what is your understanding of the framework. For sure if you are using CakePHP function for storing data it will be pretty much ok.

But currently I am working on a paid CakePHP "Application" which is far from secure code :) So it really depend from the developer.

Cake provides its own features like Data validation, MVC coding pattern, Controllers, Auth component, Automated configuration process and also the Security component. So it's not a thing to worry about, If you are not satisfied with this and want to add your own security component, go through the blog: http://goo.gl/ZoQzLx

Security in cake can be enable with few lines of code and using it's built in classes.

For Sql Injection protection

  • use cakephp $this->find will automatically sanitize your parameters but if you want to use raw query you can still sanitize your data using Sanitize::escape() method

For CSRF protection

  • you can enable it app/Controller/AppController.php

```

public $components = [
   'Security' => [
       'csrfUseOnce' => false,
       'csrfExpires' => '+1 hour',
   ],
];

```

For XSS

  • if possible, always use cakephp Form Helper (http://book.cakephp.org/2.0/en/core-libraries/helpers/form.html)
  • when your data is from text field, always print it using h() (Text to wrap through htmlspecialchars)

https://book.cakephp.org/2.0/en/core-libraries/components/security-component.html

继续阅读:cakephpsecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9