Yii CActiveForm会自动清理用户输入吗？

I have a basic Yii CActiveForm that I'm using to gather input from users, which then is inserted into a database [edit] via default Yii ActiveRecord models[/edit]. Like anyone, I want to make sure that a clever user doesn't drop my database via one of these fields.

我有一个基本的Yii CActiveForm,我用来收集用户的输入,然后通过默认的Yii ActiveRecord模型[/ edit]插入数据库[edit]。像任何人一样,我想确保聪明的用户不会通过其中一个字段删除我的数据库。

The question is: does the Yii CActiveForm automatically sanitize input before it can do anything malicious? I can't find any documentation on this. Not sure if I need to spend time on it or it's already taken care of.

问题是:Yii CActiveForm在恶意做任何事情之前会自动清理输入吗?我找不到任何关于此的文件。不确定我是否需要花时间或它已经处理好了。

Thanks!

3 个解决方案

#1

When you say "CActiveForm", I assume you mean using the Yii-generated models and controllers. CActiveForm doesn't automatically do any sanitizing for you, but if you use the ActiveRecord methods that Yii uses by default, it will generally do the PDO bindings for you based on the data types of each field. If you are creating your own queries using createCommand() or other method, you should define your own bindings.

当你说“CActiveForm”时,我认为你的意思是使用Yii生成的模型和控制器。 CActiveForm不会自动为您执行任何清理,但如果您使用Yii默认使用的ActiveRecord方法,它通常会根据每个字段的数据类型为您执行PDO绑定。如果使用createCommand()或其他方法创建自己的查询,则应定义自己的绑定。

If you want to see what's going on, you can turn on logging, e.g., to generate a file with the db commands, add this to your config file in the components->log array:

如果要查看正在发生的事情,可以打开日志记录,例如,使用db命令生成文件,将其添加到组件 - >日志数组中的配置文件中:

'components'=>array(
 'log'=>array(
  'class'=>'CLogRouter',
    'routes'=>array(    
      array(
        'class'=>'CFileLogRoute',
        'levels'=>'trace, info',
        'categories'=>'system.db.*',
        'logFile'=>'db.log',
      ),
     ...

and if you see the update statements parameterized, you can be pretty sure they are using PDO bindings, which will prevent most, but not necessarily all, SQL attacks. (By default the log file is saved in your "runtime" directory, which you can then trace out. You can also have it displayed at the bottom of the web page or FireBug with CWebLogRoute, but that won't show all commands if a page gets redirected.)

如果你看到参数化了更新语句,你可以非常肯定他们正在使用PDO绑定,这将阻止大多数但不一定是所有的SQL攻击。 (默认情况下,日志文件保存在“运行时”目录中,然后您可以跟踪它。您也可以将其显示在网页底部或使用CWebLogRoute显示在FireBug中,但如果是页面被重定向。)

#2

CActiveForm does not automatically do any sanitation of user input. That said, some are more details about Yii security:

CActiveForm不会自动对用户输入进行任何卫生处理。也就是说,有些是关于Yii安全性的更多细节:

Cross-Site Scripting Security (XSS):

跨站点脚本安全性(XSS):

The Yii Guide post about it's security features:

关于它的安全功能的Yii指南帖子:

http://www.yiiframework.com/doc/guide/1.1/en/topics.security

To summarize the link above, you can pretty easily enable the CHtmlPurifier filter to sanitize user input before your action fires, but it's not the default behavior.

总结上面的链接,您可以非常轻松地启用CHtmlPurifier过滤器,以便在操作触发之前清理用户输入,但这不是默认行为。

Yii also has some features you can turn on to validate cookies and prevent cross-site request forgery, also mentioned in the link.

Yii还有一些功能,您可以打开以验证cookie并防止跨站点请求伪造,也在链接中提到。

Database Security:

As for your concern about user input dropping your database, if you use Yii's standard Data Access Objects (like CActiveRecord) and MySql, the PDO bindings used to save data should prevent against 1st order SQL injection attacks.

至于您对丢弃数据库的用户输入的关注,如果您使用Yii的标准数据访问对象(如CActiveRecord)和MySql,用于保存数据的PDO绑定应该可以防止针对一阶SQL注入攻击。

#3

Yii doesn't provide input sanitization feature. The CHtmlPurifier component is used used to sanitize the data to be displayed to end-users.

Yii不提供输入清理功能。 CHtmlPurifier组件用于清理要显示给最终用户的数据。

You can use PHP filter_input() function directly (http://us3.php.net/m...ilter-input.php) if you want to sanitize the input.

如果要清理输入,可以直接使用PHP filter_input()函数(http://us3.php.net/m...ilter-input.php)。

I get these answare from the below link

我从下面的链接中获取这些answare

http://www.yiiframework.com/forum/index.php/topic/1041-how-to-sanitize-post/

#1