Commit 0f0d9020 by pana1990

fix mistake small [skip ci]

parent 996856c0
Security best practices Security best practices
======================= =======================
Below we'll review common security principles and describe how to avoid threats when developing applications using Yii. Below we'll review common security principles and describe how to avoid threats when developing applications using Yii.
Basic principles Basic principles
---------------- ----------------
...@@ -56,7 +56,7 @@ SELECT * FROM user WHERE username = ''; DROP TABLE user; --' ...@@ -56,7 +56,7 @@ SELECT * FROM user WHERE username = ''; DROP TABLE user; --'
This is valid query that will search for users with empty username and then will drop `user` table most probably This is valid query that will search for users with empty username and then will drop `user` table most probably
resulting in broken website and data loss (you've set up regular backups, right?). resulting in broken website and data loss (you've set up regular backups, right?).
In Yii most of database querying happens via [Active Record](db-active-record.md) which properly uses PDO perpared In Yii most of database querying happens via [Active Record](db-active-record.md) which properly uses PDO prepared
statements internally. In case of prepared statements it's not possible to manipulate query as was demonstrated above. statements internally. In case of prepared statements it's not possible to manipulate query as was demonstrated above.
Still, sometimes you need [raw queries](db-dao.md) or [query builder](db-query-builder.md). In this case you should use Still, sometimes you need [raw queries](db-dao.md) or [query builder](db-query-builder.md). In this case you should use
...@@ -69,7 +69,7 @@ $userIDs = (new Query()) ...@@ -69,7 +69,7 @@ $userIDs = (new Query())
->from('user') ->from('user')
->where('status=:status', [':status' => $status]) ->where('status=:status', [':status' => $status])
->all(); ->all();
// DAO // DAO
$userIDs = $connection $userIDs = $connection
->createCommand('SELECT id FROM user where status=:status') ->createCommand('SELECT id FROM user where status=:status')
...@@ -138,7 +138,7 @@ Avoiding debug info and tools at production ...@@ -138,7 +138,7 @@ Avoiding debug info and tools at production
In debug mode Yii shows quite verbose errors which are certainly helpful for development. The thing is that these In debug mode Yii shows quite verbose errors which are certainly helpful for development. The thing is that these
verbose errors are handy for attacker as well since these could reveal database structure, configuration values and verbose errors are handy for attacker as well since these could reveal database structure, configuration values and
parts of your code. Never run production applications with `YII_DEBUG` set to `true` in your `index.php`. parts of your code. Never run production applications with `YII_DEBUG` set to `true` in your `index.php`.
You should never enalble Gii at production. It could be used to get information about database structure, code and to You should never enalble Gii at production. It could be used to get information about database structure, code and to
simply rewrite code with what's generated by Gii. simply rewrite code with what's generated by Gii.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment