YIIFramework framework tutorial-security solution details, yiiframework_PHP tutorial

The YIIFramework framework provides a detailed explanation of the security solution. The YIIFramework framework describes the security solution of the yiiframework framework. For your reference, please refer to the following details: Security solutions of the YII Framework tutorial for web application security, and yiiframework.

This article describes the security solution of the YII Framework. We will share this with you for your reference. The details are as follows:

The security of web applications is very important. in the age of "hackers", your website may be attacked tomorrow. to prevent attacks to some extent, YII provides several solutions to prevent attacks. Of course, the security mentioned here is one-sided, but it is worth looking.

Official solutions include:

1. prevention of cross-site scripting attacks

Cross-site scripting (XSS) attacks, that is, web applications collect user data from users. Attackers often inject JavaScript, VBScript, ActiveX, HTML, or Flash into vulnerable web applications to confuse visitors and collect their information. For example, a well-designed forum system may display user input without checking. Attackers can inject malicious JavaScript code into the post content. In this way, when other visitors read this post, the JavaScript code can run on the guest's computer.

One of the most important measures to prevent XSS attacks is to check the content before displaying the content entered by the user. For example, you can escape the HTML in the content. However, in some cases, this method is not desirable because it disables all HTML tags.

Yii integrates HTMLPurifier and provides developers with a useful component CHtmlPurifier, which encapsulates the HTMLPurifier class. It can clear all malicious code in the reviewed content through effective review, security, and whitelist functions, and ensure that the filtered content meets the criteria.

The CHtmlPurifier component can be used as a widget or filter. When used as a widget, the CHtmlPurifier can filter the content displayed in the view safely. The following is a sample code:

<? Php $ this-> beginWidget ('chtmlpurifier ');?> //... The content entered by the user is displayed here... <? Php $ this-> endWidget ();?>

2. defense against cross-site request forgery

Cross-site request forgery (CSRF) attacks: When a user's browser accesses a malicious website, the user's browser initiates a specified request to a trusted website. For example, a malicious website has an image whose src address points to a bank website: http://bank.example/withdraw? Transfer = 10000 & to = someone. If a user accesses this malicious webpage after logging on to the bank's website, the user's browser will send a command to the bank's website, the content of this command may be "transfer 10000 yuan to the attacker's account ". Cross-site attacks take advantage of a specific website trusted by the user, while CSRF attacks take advantage of the specific user identity of the user in a website.

To prevent CSRF attacks, you must keep in mind that a GET request only allows data retrieval and cannot modify any data on the server. The POST request should contain some random numbers that can be recognized by the server to ensure that the source and running result of the form data are the same.

Yii implements a CSRF mechanism to help prevent POST-based attacks. The core of this mechanism is to set a random data in the cookie, and then compare it with the corresponding value in the POST data submitted in the form.

By default, CSRF protection is disabled. If you want to enable it, you can edit the CHttpRequest section in the application configuration.

Sample code:

return array(  'components'=>array(    'request'=>array(      'enableCsrfValidation'=>true,    ),  ),);

To display a form, use CHtml: form instead of writing HTML code. Because CHtml: form can automatically embed a hidden item in the form, which stores the random data required for verification, which can be sent to the server for verification when the form is submitted.

3. prevent Cookie attacks

It is very important to protect cookies from attacks. Because session IDs are usually stored in cookies. If an attacker steals a valid session ID, the attacker can use the session information corresponding to this session ID.

There are several preventive measures:

You can use SSL to generate a secure channel and transmit authentication cookies only over HTTPS connections. In this way, attackers cannot decrypt the sent cookies.

Set the cookie expiration time, and do the same for all cookies and seesion tokens. This reduces the chances of being attacked.

Prevents cross-site code attacks because it can trigger arbitrary code in your browser, which may expose your cookies.

Verify the content of the cookie when the cookie changes.

Yii implements a cookie authentication mechanism to prevent cookie modification. After enabling, you can perform HMAC checks on the cookie value.

Cookie verification is disabled by default. If you want to enable it, you can edit the CHttpRequest section in the application configuration.

Sample code:

return array(  'components'=>array(    'request'=>array(      'enableCookieValidation'=>true,    ),  ),);

Use cookie data that has been verified by Yii. Use the Yii built-in cookies to perform cookie operations. do not use $ _ COOKIES.

// Retrieve a cookie value Named $ name $ cookie = Yii: app ()-> request-> cookies [$ name]; $ value = $ cookie-> value ;...... // set a cookie $ cookie = new CHttpCookie ($ name, $ value); Yii: app ()-> request-> cookies [$ name] = $ cookie;