I am thinking of using cakePHP to build a web app. My question is how much of security stuff will I have to code myself to 开发者_如何学Goprevent (SQL injection etc)? What security stuff cakePHP takes care of by itself and what will I have to code?
cake does a lot of things automatically but some not. depending on how secure you want you forms you should also consider "white-listing": details
the easiest method would be to use the security component.
CakePHP itself is pretty good at it, you will not have to worry about what is submitted. But if you are using the data, everything will be of course unescaped. So a Form built from the Helper classes will be XSS safe, but once you are printing out what is int $this->data you must know and take care to escape it. h() is an often used alias for htmlspecialchars().
CakePHP has no protection against XSRF out of the box.
For ACL it provides you some components.
For sure it depends what is your code style and what is your understanding of the framework. For sure if you are using CakePHP function for storing data it will be pretty much ok.
But currently I am working on a paid CakePHP "Application" which is far from secure code :) So it really depend from the developer.
Cake provides its own features like Data validation, MVC coding pattern, Controllers, Auth component, Automated configuration process and also the Security component. So it's not a thing to worry about, If you are not satisfied with this and want to add your own security component, go through the blog: http://goo.gl/ZoQzLx
Security in cake can be enable with few lines of code and using it's built in classes.
For Sql Injection protection
- use cakephp $this->find will automatically sanitize your parameters but if you want to use raw query you can still sanitize your data using Sanitize::escape() method
For CSRF protection
- you can enable it app/Controller/AppController.php
```
public $components = [
'Security' => [
'csrfUseOnce' => false,
'csrfExpires' => '+1 hour',
],
];
```
For XSS
- if possible, always use cakephp Form Helper (http://book.cakephp.org/2.0/en/core-libraries/helpers/form.html)
- when your data is from text field, always print it using h() (Text to wrap through htmlspecialchars)
https://book.cakephp.org/2.0/en/core-libraries/components/security-component.html
精彩评论