YII Framework Framework Tutorial Security Program detailed, yiiframework_php tutorial

Source: Internet
Author: User
Tags configuration php getting started with php smarty template yii csrf attack

A detailed approach to the safety of the YII Framework Framework tutorial, Yiiframework


This paper describes the security scheme of YII framework framework. Share to everyone for your reference, as follows:

Web application security issues are important, in the "hacker" era, your site may be under attack tomorrow, in order to prevent the attack in some way, Yii provides several solutions to prevent attacks. Of course, the security here is one-sided, but it is worth seeing.

The official solutions are as follows:

1. Prevention of cross-site scripting attacks

Cross-site scripting attacks (XSS), the Web app collects user data from users. Attackers often inject javascript,vbscript,activex,html or flash into vulnerable web apps to confuse visitors to gather information about their visitors. For example, a non-well-designed forum system may display user input without checking. An attacker could inject a malicious piece of JavaScript code into the content of the post. This way, when other visitors are reading this post, the JavaScript code can be run on the guest's computer.

One of the most important measures to protect against XSS attacks is to check content before displaying what the user has entered. For example, you can escape the HTML in the content. However, in some cases this method is not available because it disables all HTML tags.

Yii integrates Htmlpurifier and provides developers with a useful component chtmlpurifier, which encapsulates the Htmlpurifier class. It can remove all malicious code from the audited content through an effective review, security, and whitelist feature, and ensure that filtered content is filtered to the standard.

The Chtmlpurifier component can be used as a widget or filter. When used as a widget, Chtmlpurifier can safely filter what is displayed in the view. The following is a code example:

<?php $this->beginwidget (' chtmlpurifier ');? >//... This shows what the user entered ... <?php $this->endwidget ();?>

2. Prevention of cross-site request forgery attack

Cross-site request forgery (CSRF) attack, in which an attacker initiates a request from a user's browser to a trusted website when the user's browser visits a malicious website. For example, a malicious website has a picture of the SRC address of this image pointing to a bank website: Http://bank.example/withdraw?transfer=10000&to=someone. If the user accesses the malicious webpage after landing the bank's website, the user's browser will send a directive to the bank's website, which may be "transferring 10000 yuan to the attacker's account". A cross-site attack takes advantage of a particular website that a user trusts, while the CSRF attack is the opposite, taking advantage of a user's identity in a particular site.

To guard against CSRF attacks, one must remember that a GET request allows only data to be retrieved and no data on the server can be modified. The POST request should contain random values that can be identified by the server to ensure that the source of the form data and the result of the operation are sent in the same direction.

Yii implements a CSRF guard mechanism to help protect against post-based attacks. The core of this mechanism is to set a random data in the cookie and compare it to the corresponding value in the post data submitted by the form.

By default, CSRF prevention is disabled. If you want to enable it, you can edit the CHttpRequest section of the component in the app configuration.

code example:

Return Array (' Components  ' =>array ('    request ' =>array (      ' enablecsrfvalidation ' =>true,    ),  ),);

To display a form, use chtml::form instead of writing your own HTML code. Because Chtml::form can automatically embed a hidden item in the form, the hidden item stores the random data needed for validation, which can be sent to the server for verification when the form is submitted.

3. Prevention of Cookie attacks

It is important to protect cookies from attack. Because the session ID is usually stored in a cookie. If an attacker steals a valid session ID, he or she can use the session ID corresponding to that session.

Here are a few precautions:

You can use SSL to generate a secure channel and only send a validation cookie over an HTTPS connection. This way the attacker cannot decrypt the transmitted cookie.

Set the expiration time of the cookie, and do so for all cookies and seesion tokens. This can reduce the chance of being attacked.

Protect against cross-site code attacks, because it can trigger arbitrary code in the user's browser, which may reveal the user's cookie.

Verify the contents of the cookie when there is a change in the cookie.

Yii implements a cookie authentication mechanism to prevent cookies from being modified. When enabled, the value of the cookie can be HMAC-checked.

Cookie authentication is disabled by default. If you want to enable it, you can edit the CHttpRequest section of the component in the app configuration.

code example:

Return Array (' Components  ' =>array ('    request ' =>array ('      enablecookievalidation ' =>true,    ) ,  ),);

Be sure to use YII-validated cookie data. Use Yii's built-in cookie components to operate cookies without using $_cookies.

Retrieves a cookie value named $name $cookie=yii::app ()->request->cookies[$name]; $value = $cookie->value;......// Set a cookie$cookie=new Chttpcookie ($name, $value); Yii::app ()->request->cookies[$name]= $cookie;

For more information on YII related content readers can view this site topic: "YII framework Introduction and common skills Summary", "PHP Excellent Development Framework Summary", "Smarty Template Primer Basic Tutorial", "PHP date and Time usage summary", "PHP object-oriented Programming introduction Tutorial", " PHP String Usage Summary, "Getting Started with Php+mysql database operations" and "PHP Common Database Operations Skills Summary"

It is hoped that this article is helpful to the PHP program design based on YII framework.

Articles you may be interested in:

    • PHP YII Framework Development Little tricks Model (models) Rules custom validation rule
    • Nginx configuration PHP Rewrite rules example of Yii and cakephp framework
    • How to install the Yii framework using composer
    • Yii method for executing SQL statements using the Migrate command
    • Yii Framework framework uses YIIC to quickly create migrate usage examples of YII applications
    • Yii Framework Framework tutorial using YIIC quickly create a detailed application of Yii
    • The internationalization realization method of YII Framework frame Tutorial
    • A detailed description of the caching usage of YII Framework Framework Tutorial
    • A detailed description of the log usage of YII Framework Framework Tutorial
    • An explanation of the exception handling of YII Framework Tutorial
    • Example of common rules for YII rules

http://www.bkjia.com/PHPjc/1110086.html www.bkjia.com true http://www.bkjia.com/PHPjc/1110086.html techarticle The security scheme of the YII Framework Framework Tutorial is explained in detail, yiiframework This article describes the security scheme of YII framework framework. Share to everyone for your reference, as follows: Web application security Q ...

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.