How safe is YII?

Hello there,

I’ve build my own CMS in PHP but it’s been hacked last night.

When I’m going to a framework like YII, am I safe then? Or should also build my own security in there with login systems etc. (my weak point unfortunately).

Copy/paste from Yii features

But how secure will be your CMS really depends on your coding… as much as Yii takes care of some security… you can still use

$select="select username,password from users where username='".$_POST['user']."' and password='".$_POST['pass']."'";

and that we all know is a bad practice… :D

Yii will help You make Your code safer but it won’t save you from Your own mistakes. Always validate input, cast variable types from $_GET/$_POST and read PHP Security Guide

Yii was built by a bunch of people who know what they’re doing so you’ll be better of with Yii than on your own (probably :) )

There is a lot of security mechanisms in Yii. See the Security docs chapter

@mdomba: what is the better way for your example?

A better way is to bind parameters to the select command… even better is to check the $_POST values…

If you have read the Definitive Guide to Yii you will already noticed that $_POST is not used directly anywhere… so you just need to follow the Yii usages…