You can also find some information on http://www.dereuromark.de/2010/10/05/cakephp-security/
Am Mittwoch, 9. Oktober 2013 08:02:09 UTC+2 schrieb Reuben:
-- Basically sanitizing was often used too eagerly, instead of using validation (which also usually is used too restrictive) and sane output escaping.
Use whitelisting for security sensitive views - or use RequestHandler if possible.
Escape all plain output on display - clean HTML output on save.
Nothing more to do usually.
If you want to test your application against attacks, try SQL injection and XSS snippets and see if they go through. They shouldn't :)
Am Mittwoch, 9. Oktober 2013 08:02:09 UTC+2 schrieb Reuben:
Hi MatthewWith regards to Q1, I remember reading something to the effect that there are other tools that do the job better. There was a detailed article somewhere, but I can't locate it at the moment. As the web reference you gave states, Sanitize was destructive, instead of just making sure the data submitted was okay. Models still sanitize their data, so Little Bobby Tables shouldn't get through. There's usage of h() for output, HTML Purifier for HTML input (though I've never used it) and the Security Component with the Form Helper to prevent tampering with form input.I've never used CakePHPs Security Component, but I have used other frameworks with a similar concept. Usage of the component depends on how dynamic your forms are. If you're adding form elements on the fly, then the security component might not work so well for those particular forms. Cake Validation just improves the quality of your input, but I wouldn't rely on it for any sort of security check.Your best bet for security is unit and integration tests. Check out the CakePHP tests that test security. Write your own tests for your own forms to satisfy yourself that malicious form data will get caught.
On Wednesday, 9 October 2013 04:48:22 UTC+10, schenke...@gmail.com wrote:Greetings,
I am new to this community -- and to CakePHP itself. I have been testing a long list of PHP frameworks (CodeIgniter, Laravel, Symfony, Yii) and find myself really attracted to Cake because of the logic of how it works. It just makes sense to me!
OK, for my actual questions on security...
1. I'm confused about about the Cake documentation entry stating that the Sanitize element is no longer being maintained (http://book.cakephp.org/2.0/en/core-utility-libraries/ ). Is this because it is no longer needed, or is it because we are expected to find an external library for this purpose?sanitize.html
2. Is it enough to use this combination of elements in my apps:
(a) FormHelper
(b) SecurityComponent
(c) Cake Validation
I know security is a very big topic. And I know we can never be 100% certain we have covered everything. But when do Cake developers generally reach that balance where they have done enough?
Thanks,
Matthew
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment