On 7/15/07, Feris Thia <[EMAIL PROTECTED]> wrote: > > Wow, 99% is a great number. So, I can concluded there is no much > security concerns for CakePHP if we follow conventions as you said. > That will relieve me much.
The big issues are usually to deal with input from users that contains malicious code (like javascript or attempts to manipulate database queries by packing things onto the end of a URL) so you need to be aware of the proper techniques for filtering input you get via forms and via the URL. If I understand correctly, anything to do with parameters passed around using the various model methods (i.e. findAll) are correctly filtered. I'd have to actually check the form input handlers to tell you with 100% certainty that data from form input is being automatically escaped, but knowing Larry and the other core developers like I do I'd say it's very likely that it is being done. > Btw, what do you mean by escaping output ? > By escaping output, I mean that you should NEVER simply echo back input that you've gotten from a user. You should run it through things like htmlentities() and striptags() and other similar tools, with the goal being removing anything other than just the information you want them to enter. Go to Chris Shifflet's web site http://shiflett.org/ for some of the best info out there on PHP security tips and techniques. -- Chris Hartjes Senior Developer Cake Development Corporation My motto for 2007: "Just build it, damnit!" @TheBallpark - http://www.littlehart.net/attheballpark @TheKeyboard - http://www.littlehart.net/atthekeyboard --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
