php/yii2
1
0
Fork 0
mirror of https://github.com/yiisoft/yii2.git synced 2025-11-23 01:57:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6519 from pana1990/patch-1

Browse Source 
fix  mistake small  [skip ci]
This commit is contained in:
Alexander Makarov
2014-12-14 20:06:41 +03:00
parent 996856c04c 0f0d9020b3
commit d05a373b1f
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/guide/security-best-practices.md
View File

@@ -1,7 +1,7 @@
Security best practices Security best practices
======================= =======================
Below we'll review common security principles and describe how to avoid threats when developing applications using Yii. Below we'll review common security principles and describe how to avoid threats when developing applications using Yii.
Basic principles Basic principles
---------------- ----------------
@@ -56,7 +56,7 @@ SELECT * FROM user WHERE username = ''; DROP TABLE user; --'
This is valid query that will search for users with empty username and then will drop `user` table most probably This is valid query that will search for users with empty username and then will drop `user` table most probably
resulting in broken website and data loss (you've set up regular backups, right?). resulting in broken website and data loss (you've set up regular backups, right?).
In Yii most of database querying happens via [Active Record](db-active-record.md) which properly uses PDO perpared In Yii most of database querying happens via [Active Record](db-active-record.md) which properly uses PDO prepared
statements internally. In case of prepared statements it's not possible to manipulate query as was demonstrated above. statements internally. In case of prepared statements it's not possible to manipulate query as was demonstrated above.
Still, sometimes you need [raw queries](db-dao.md) or [query builder](db-query-builder.md). In this case you should use Still, sometimes you need [raw queries](db-dao.md) or [query builder](db-query-builder.md). In this case you should use
@@ -69,7 +69,7 @@ $userIDs = (new Query())
->from('user') ->from('user')
->where('status=:status', [':status' => $status]) ->where('status=:status', [':status' => $status])
->all(); ->all();
// DAO // DAO
$userIDs = $connection $userIDs = $connection
->createCommand('SELECT id FROM user where status=:status') ->createCommand('SELECT id FROM user where status=:status')
@@ -138,7 +138,7 @@ Avoiding debug info and tools at production
In debug mode Yii shows quite verbose errors which are certainly helpful for development. The thing is that these In debug mode Yii shows quite verbose errors which are certainly helpful for development. The thing is that these
verbose errors are handy for attacker as well since these could reveal database structure, configuration values and verbose errors are handy for attacker as well since these could reveal database structure, configuration values and
parts of your code. Never run production applications with `YII_DEBUG` set to `true` in your `index.php`. parts of your code. Never run production applications with `YII_DEBUG` set to `true` in your `index.php`.
You should never enalble Gii at production. It could be used to get information about database structure, code and to You should never enalble Gii at production. It could be used to get information about database structure, code and to
simply rewrite code with what's generated by Gii. simply rewrite code with what's generated by Gii.