Comments on the wiki post "Yii Security-extended guide"

This is an answer to a comment by the author of the article.


  1. At least we agree on input validation.

  2. Putting SQL in the model instead of the controller is indeed a good practice, but it has no impact on security.

  3. So you admit you don’t know how find() works. Thank you for being honest, but can you understand that gives an insecure feeling to your whole text. find() methods are just helpers that issue a select and put the result in objects. It’s up to the developer to use prepared statements or not. For instance, prepared statements can’t be used to check is a value is in a list: find('a IN (' . join(',', $array) . ')').

  4. You deleted it.

I don’t want to be rude, but, as I said, I believe this kind of subject should not be treated by someone who lacks experience (especially in security, but also in Yii). People could feel secure once they have followed the recommendations, and they shouldn’t be.

You’re right when you say I should improve the article. But it would take a long time, especially since I’m not an native English speaker, and I’m not a specialist on security (though I have some experience). Maybe I’ll try anyway.