You can also find some information on http://www.dereuromark.de/2010/10/05/cakephp-security/ Basically sanitizing was often used too eagerly, instead of using validation (which also usually is used too restrictive) and sane output escaping.
Use whitelisting for security sensitive views - or use RequestHandler if possible. Escape all plain output on display - clean HTML output on save. Nothing more to do usually. If you want to test your application against attacks, try SQL injection and XSS snippets and see if they go through. They shouldn't :) Am Mittwoch, 9. Oktober 2013 08:02:09 UTC+2 schrieb Reuben: > > Hi Matthew > > With regards to Q1, I remember reading something to the effect that there > are other tools that do the job better. There was a detailed article > somewhere, but I can't locate it at the moment. As the web reference you > gave states, Sanitize was destructive, instead of just making sure the data > submitted was okay. Models still sanitize their data, so Little Bobby > Tables shouldn't get through. There's usage of h() for output, HTML > Purifier for HTML input (though I've never used it) and the Security > Component with the Form Helper to prevent tampering with form input. > > I've never used CakePHPs Security Component, but I have used other > frameworks with a similar concept. Usage of the component depends on how > dynamic your forms are. If you're adding form elements on the fly, then > the security component might not work so well for those particular forms. > Cake Validation just improves the quality of your input, but I wouldn't > rely on it for any sort of security check. > > Your best bet for security is unit and integration tests. Check out the > CakePHP tests that test security. Write your own tests for your own forms > to satisfy yourself that malicious form data will get caught. > > On Wednesday, 9 October 2013 04:48:22 UTC+10, [email protected] wrote: >> >> Greetings, >> I am new to this community -- and to CakePHP itself. I have been testing >> a long list of PHP frameworks (CodeIgniter, Laravel, Symfony, Yii) and find >> myself really attracted to Cake because of the logic of how it works. It >> just makes sense to me! >> >> OK, for my actual questions on security... >> >> 1. I'm confused about about the Cake documentation entry stating that the >> Sanitize element is no longer being maintained ( >> http://book.cakephp.org/2.0/en/core-utility-libraries/sanitize.html). >> Is this because it is no longer needed, or is it because we are expected to >> find an external library for this purpose? >> 2. Is it enough to use this combination of elements in my apps: >> (a) >> FormHelper<http://book.cakephp.org/2.0/en/core-libraries/helpers/form.html> >> (b) >> SecurityComponent<http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html> >> (c) Cake >> Validation<http://book.cakephp.org/2.0/en/models/data-validation.html> >> >> I know security is a very big topic. And I know we can never be 100% >> certain we have covered everything. But when do Cake developers generally >> reach that balance where they have done enough? >> >> Thanks, >> Matthew >> > -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
