confused about 'safe' and 'unsafe' attributes

Hi

just came accross this piece of text in Safe Attributes in 1.1

What does it actually means? I am confused about it. Shouldn’t every user input be validated?

i somehow have feeling that i am wrong in interpration of above text.

please explain

Thanks

Yes it should. But text fields, for example, can be saved without a validation (but can be “cleaned” with php string functions or HTML Purifier). So you’ll have in rules:




array('description', 'safe'),



Safe validator are not validator, are just workaround.

The question of safe attributes is a question of safety.

When you use the line:




$model->attribute=$_POST['modelClass'];



All the attribute will be massively assigned. That is a bit unsafe, let’s immagine that you have a field ‘moderated’, that is supposed to be set by moderator.

A use can, for example with firebug, add an hidden field moderated with value 1, and will self moderate his post.

That is not what is going on in Yii.

Yii will assign only attributes that are ‘safe’, so attribute that are supposed to be edited according to user input.

Yii consider as safe all attributes that have a validator on it. The safe validator is just a workaround for make safe (so editable according to user input) a field that will not be validated.

1 Like

thanks. got the point. I am just starting with yii, so sometime it gets confusing