A detailed _php example of the safety scheme of YII Framework Framework Tutorial

This paper describes the security scheme of YII framework framework. Share to everyone for your reference, as follows:

Web application security issues are important, in the "hacker" era, your site may be under attack tomorrow, in order to prevent the attack in some way, Yii provides several solutions to prevent attacks. Of course, the security here is one-sided, but it is worth seeing.

The official solutions are as follows:

1. Prevention of cross-site scripting attacks

Cross-site scripting attacks (XSS), the Web app collects user data from users. Attackers often inject javascript,vbscript,activex,html or flash into vulnerable web apps to confuse visitors to gather information about their visitors. For example, a non-well-designed forum system may display user input without checking. An attacker could inject a malicious piece of JavaScript code into the content of the post. This way, when other visitors are reading this post, the JavaScript code can be run on the guest's computer.

One of the most important measures to protect against XSS attacks is to check content before displaying what the user has entered. For example, you can escape the HTML in the content. However, in some cases this method is not available because it disables all HTML tags.

Yii integrates Htmlpurifier and provides developers with a useful component chtmlpurifier, which encapsulates the Htmlpurifier class. It can remove all malicious code from the audited content through an effective review, security, and whitelist feature, and ensure that filtered content is filtered to the standard.

The Chtmlpurifier component can be used as a widget or filter. When used as a widget, Chtmlpurifier can safely filter what is displayed in the view. The following is a code example:

<?php $this->beginwidget (' chtmlpurifier ');? >//... This shows what the user entered ... <?php $this->endwidget ();?>

2. Prevention of cross-site request forgery attack

Cross-site request forgery (CSRF) attack, in which an attacker initiates a request from a user's browser to a trusted website when the user's browser visits a malicious website. For example, a malicious website has a picture of the SRC address of this image pointing to a bank website: Http://bank.example/withdraw?transfer=10000&to=someone. If the user accesses the malicious webpage after landing the bank's website, the user's browser will send a directive to the bank's website, which may be "transferring 10000 yuan to the attacker's account". A cross-site attack takes advantage of a particular website that a user trusts, while the CSRF attack is the opposite, taking advantage of a user's identity in a particular site.

To guard against CSRF attacks, one must remember that a GET request allows only data to be retrieved and no data on the server can be modified. The POST request should contain random values that can be identified by the server to ensure that the source of the form data and the result of the operation are sent in the same direction.

Yii implements a CSRF guard mechanism to help protect against post-based attacks. The core of this mechanism is to set a random data in the cookie and compare it to the corresponding value in the post data submitted by the form.

By default, CSRF prevention is disabled. If you want to enable it, you can edit the CHttpRequest section of the component in the app configuration.

code example:

Return Array (' Components  ' =>array ('    request ' =>array (      ' enablecsrfvalidation ' =>true,    ),  ),);

To display a form, use chtml::form instead of writing your own HTML code. Because Chtml::form can automatically embed a hidden item in the form, the hidden item stores the random data needed for validation, which can be sent to the server for verification when the form is submitted.

3. Prevention of Cookie attacks

It is important to protect cookies from attack. Because the session ID is usually stored in a cookie. If an attacker steals a valid session ID, he or she can use the session ID corresponding to that session.

Here are a few precautions:

You can use SSL to generate a secure channel and only send a validation cookie over an HTTPS connection. This way the attacker cannot decrypt the transmitted cookie.

Set the expiration time of the cookie, and do so for all cookies and seesion tokens. This can reduce the chance of being attacked.

Protect against cross-site code attacks, because it can trigger arbitrary code in the user's browser, which may reveal the user's cookie.

Verify the contents of the cookie when there is a change in the cookie.

Yii implements a cookie authentication mechanism to prevent cookies from being modified. When enabled, the value of the cookie can be HMAC-checked.

Cookie authentication is disabled by default. If you want to enable it, you can edit the CHttpRequest section of the component in the app configuration.

code example:

Return Array (' Components  ' =>array ('    request ' =>array ('      enablecookievalidation ' =>true,    ) ,  ),);

Be sure to use YII-validated cookie data. Use Yii's built-in cookie components to operate cookies without using $_cookies.

Retrieves a cookie value named $name $cookie=yii::app ()->request->cookies[$name]; $value = $cookie->value;......// Set a cookie$cookie=new Chttpcookie ($name, $value); Yii::app ()->request->cookies[$name]= $cookie;

For more information on YII related content readers can view this site topic: "YII framework Introduction and common skills Summary", "PHP Excellent Development Framework Summary", "Smarty Template Primer Basic Tutorial", "PHP date and Time usage summary", "PHP object-oriented Programming introduction Tutorial", " PHP String Usage Summary, "Getting Started with Php+mysql database operations" and "PHP Common Database Operations Skills Summary"

It is hoped that this article is helpful to the PHP program design based on YII framework.

