Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
Y
yii2
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
PSDI Army
yii2
Commits
996856c0
Commit
996856c0
authored
Dec 14, 2014
by
Alexander Makarov
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Security best practices guide
parent
46746dac
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
148 additions
and
7 deletions
+148
-7
README.md
docs/guide/README.md
+1
-1
db-dao.md
docs/guide/db-dao.md
+1
-1
security-best-practices.md
docs/guide/security-best-practices.md
+146
-5
No files found.
docs/guide/README.md
View file @
996856c0
...
@@ -112,7 +112,7 @@ Security
...
@@ -112,7 +112,7 @@ Security
*
[
Authorization
](
security-authorization.md
)
*
[
Authorization
](
security-authorization.md
)
*
[
Working with Passwords
](
security-passwords.md
)
*
[
Working with Passwords
](
security-passwords.md
)
*
**TBD**
[
Auth Clients
](
security-auth-clients.md
)
*
**TBD**
[
Auth Clients
](
security-auth-clients.md
)
*
**TBD**
[
Best Practices
](
security-best-practices.md
)
*
[
Best Practices
](
security-best-practices.md
)
Caching
Caching
...
...
docs/guide/db-dao.md
View file @
996856c0
...
@@ -194,7 +194,7 @@ $connection->createCommand()->update('user', ['status' => 1], 'age > 30')->execu
...
@@ -194,7 +194,7 @@ $connection->createCommand()->update('user', ['status' => 1], 'age > 30')->execu
$connection
->
createCommand
()
->
delete
(
'user'
,
'status = 0'
)
->
execute
();
$connection
->
createCommand
()
->
delete
(
'user'
,
'status = 0'
)
->
execute
();
```
```
Quoting Table and Column Names
Quoting Table and Column Names
<a name="quoting-table-and-column-names"></a>
------------------------------
------------------------------
To make column and table names safe to use in queries, you can have Yii properly quote them for you:
To make column and table names safe to use in queries, you can have Yii properly quote them for you:
...
...
docs/guide/security-best-practices.md
View file @
996856c0
Security best practice
Security best practice
s
======================
======================
=
> Note: This section is under development.
Below we'll review common security principles and describe how to avoid threats when developing applications using Yii.
>
> It has no content yet.
Basic principles
----------------
There are two main principles when it comes to security no matter which application is being developed:
1.
Filter input.
2.
Escape output.
### Filter input
Filter input means that input should never be considered safe and you should always check if the value you've got is
actually among allowed ones i.e. if we know that sorting could be done by three fields
`title`
,
`created_at`
and
`status`
and the field could be supplied via used input it's better to check the value we've got right where we're receiving it.
In terms of basic PHP that would look like the following:
```
php
$sortBy
=
$_GET
[
'sort'
];
if
(
!
in_array
(
$sortBy
,
[
'title'
,
'created_at'
,
'status'
]))
{
throw
new
Exception
(
'Invalid sort value.'
);
}
```
In Yii, most probably you'll use
[
form validation
](
input-validation.md
)
to do alike checks.
### Escape output
Escape output means that depending on context where we're using data it should be escaped i.e. in context of HTML you
should escape
`<`
,
`>`
and alike special characters. In context of JavaScript or SQL it will be different set of characters.
Since it's error-prone to escape everything automatically Yii provides various tools to perform escaping for different
contexts.
Avoiding SQL injections
-----------------------
SQL injection happens when query text is formed by concatenating unescaped strings such as the following:
```
php
$username
=
$_GET
[
'username'
];
$sql
=
"SELECT * FROM user WHERE username = '
$username
'"
;
```
Instead of supplying correct username attacker could give your applications something like
`'; DROP TABLE user; --`
.
Resulting SQL will be the following:
```
sql
SELECT
*
FROM
user
WHERE
username
=
''
;
DROP
TABLE
user
;
--'
```
This is valid query that will search for users with empty username and then will drop
`user`
table most probably
resulting in broken website and data loss (you've set up regular backups, right?).
In Yii most of database querying happens via
[
Active Record
](
db-active-record.md
)
which properly uses PDO perpared
statements internally. In case of prepared statements it's not possible to manipulate query as was demonstrated above.
Still, sometimes you need
[
raw queries
](
db-dao.md
)
or
[
query builder
](
db-query-builder.md
)
. In this case you should use
safe ways of passing data. If data is used for column values it's preferred to use prepared statements:
```
php
// query builder
$userIDs
=
(
new
Query
())
->
select
(
'id'
)
->
from
(
'user'
)
->
where
(
'status=:status'
,
[
':status'
=>
$status
])
->
all
();
// DAO
$userIDs
=
$connection
->
createCommand
(
'SELECT id FROM user where status=:status'
)
->
bindValues
([
':status'
=>
$status
])
->
queryColumn
();
```
If data is used to specify column names or table names it should be escaped. Yii has special syntax for such escaping
which allows doing it the same way for all databases it supports:
```
php
$sql
=
"SELECT COUNT([[
$column
]]) FROM
{
{table}
}
"
;
$rowCount
=
$connection
->
createCommand
(
$sql
)
->
queryScalar
();
```
You can get details about the syntax in
[
Quoting Table and Column Names
](
db-dao.md#quoting-table-and-column-names
)
.
Avoiding XSS
------------
XSS or cross-site scripting happens when output isn't escaped properly when outputting HTML to the browser. For example,
if user can enter his name and instead of
`Alexander`
he enters
`<script>alert('Hello!');</script>`
, every page that
outputs user name without escaping it will execute JavaScript
`alert('Hello!');`
resulting in alert box popping up
in a browser. Depending on website instead of innocent alert such script could send messages using your name or even
perform bank transactions.
Avoiding XSS is quite easy in Yii. There are generally two cases:
1.
You want data to be outputted as plain text.
2.
You want data to be outputted as HTML.
If all you need is plain text then escaping is as easy as the following:
```php
<?= \yii\helpers\Html::encode($username) ?>
```
If it should be HTML we could get some help from HtmlPurifier:
```
php
<?=
\yii\helpers\HtmlPurifier
::
process
(
$description
)
?>
```
Note that HtmlPurifier processing is quite heavy so consider adding caching.
Avoiding CSRF
-------------
TBD
Avoiding file exposure
----------------------
By default server webroot is meant to be pointed to
`web`
directory where
`index.php`
is. In case of shared hosting
environments it could be impossible to achieve so we'll end up with all the code, configs and logs in server webroot.
If it's the case don't forget to deny access to everything except
`web`
. If it can't be done consider hosting your
application elsewhere.
Avoiding debug info and tools at production
-------------------------------------------
In debug mode Yii shows quite verbose errors which are certainly helpful for development. The thing is that these
verbose errors are handy for attacker as well since these could reveal database structure, configuration values and
parts of your code. Never run production applications with
`YII_DEBUG`
set to
`true`
in your
`index.php`
.
You should never enalble Gii at production. It could be used to get information about database structure, code and to
simply rewrite code with what's generated by Gii.
Debug toolbar should be avoided at production unless really necessary. It exposes all the application and config
details possible. If you absolutely need it check twice that access is proerly restricted to your IP only.
\ No newline at end of file
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment