O Guia Definitivo do Yii 1.1

More documents

Recommendations

Info

Cross-site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool other application users and gather data from them. For example, a poorly design forum system may display user input in forum posts without any checking. An attacker can then inject a piece of malicious JavaScript code into a post so that when other users read this post, the JavaScript runs unexpectedly on their computers. One of the most important measures to prevent XSS attacks is to check user input before displaying them. One can do HTML-encoding with the user input to achieve this goal. However, in some situations, HTML-encoding may not be preferable because it disables all HTML tags. Yii incorporates the work of HTMLPurifier and provides developers with a useful component called CHtmlPurifier that encapsulates HTMLPurifier. This component is capable of removing all malicious code with a thoroughly audited, secure yet permissive whitelist and making sure the filtered content is standard-compliant. The CHtmlPurifier component can be used as either a widget or a filter. When used as a widget, CHtmlPurifier will purify contents displayed in its body in a view. For example, ...display user-entered content here... Cross-site Request Forgery Prevention Cross-Site Request Forgery (CSRF) attacks occur when a malicious web site causes a user's web browser to perform an unwanted action on a trusted site. For example, a malicious web site has a page that contains an image tag whose src points to a banking site: http://bank.example/withdraw?transfer=10000&to=someone. If a user who has a login cookie for the banking site happens to visit this malicious page, the action of transferring 10000 dollars to someone will be executed. Contrary to cross-site, which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has for a particular user. To prevent CSRF attacks, it is important to abide to the rule that GET requests should only be allowed to retrieve data rather than modify any data on the server. And for POST requests, they should include some random value which can be recognized by the server to ensure the form is submitted from and the result is sent back to the same origin. Yii implements a CSRF prevention scheme to help defeat POST-based attacks. It is based on storing a random value in a cookie and comparing this value with the value submitted via the POST request. By default, the CSRF prevention is disabled. To enable it, configure the CHttpRequest application component in the application configuration as follows,
eturn array( 'components'=>array( 'request'=>array( 'enableCsrfValidation'=>true, ), ), ); And to display a form, call CHtml::form instead of writing the HTML form tag directly. The CHtml::form method will embed the necessary random value in a hidden field so that it can be submitted for CSRF validation. Cookie Attack Prevention Protecting cookies from being attacked is of extreme importance, as session IDs are commonly stored in cookies. If one gets hold of a session ID, he essentially owns all relevant session information. There are several countermeasures to prevent cookies from being attacked. • An application can use SSL to create a secure communication channel and only pass the authentication cookie over an HTTPS connection. Attackers are thus unable to decipher the contents in the transferred cookies. • Expire sessions appropriately, including all cookies and session tokens, to reduce the likelihood of being attacked. • Prevent cross-site scripting which causes arbitrary code to run in a user's browser and expose his cookies. • Validate cookie data and detect if they are altered. Yii implements a cookie validation scheme that prevents cookies from being modified. In particular, it does HMAC check for the cookie values if cookie validation is enabled. Cookie validation is disabled by default. To enable it, configure the CHttpRequest application component in the application configuration as follows, return array( 'components'=>array( 'request'=>array( 'enableCookieValidation'=>true, ), ), ); To make use of the cookie validation scheme provided by Yii, we also need to access cookies through the cookies collection, instead of directly through $_COOKIES:
Page 1 and 2:
O Guia Definitivo do Yii 1.1 Qiang
Page 3 and 4:
Coletando Entradas Tabulares! 59 Tr
Page 5 and 6:
Primeiros Passos Visão Geral Esse
Page 7 and 8:
• Added support for profiling SQL
Page 9 and 10:
no desenvolvimento Web e da investi
Page 11 and 12:
Página de Contato
Page 13 and 14:
Página de Login A listagem seguint
Page 15 and 16:
Conectando ao Banco de Dados A maio
Page 17 and 18:
% cd WebRoot/testdrive % protected/
Page 19 and 20:
Página de administração dos usu
Page 21 and 22:
Conceitos Básicos Modelo-Visão-Co
Page 23 and 24:
controle de acesso, benchmarking) a
Page 25 and 26:
deny from all Componentes da Aplica
Page 27 and 28:
3. Executa o controle; 8. Dispara o
Page 29 and 30:
class UpdateAction extends CAction
Page 31 and 32:
class PerformanceFilter extends CFi
Page 33 and 34:
$this->render('edit', array( 'var1'
Page 35 and 36:
A nomeclatura das visões do sistem
Page 37 and 38:
Um evento pode ter diversos manipul
Page 39 and 40:
forum/ ForumModule.php components/
Page 41 and 42:
RootAlias.path.to.target Onde RootA
Page 43 and 44:
Como não há suporte a namespaces
Page 45 and 46:
5. Implemente ações e as visões.
Page 47 and 48:
widgets that generate a lot of HTML
Page 49 and 50:
class LoginForm extends CFormModel
Page 51 and 52:
validação deverá ser efetuada; o
Page 53 and 54:
Nesse trecho de código, temos uma
Page 55 and 56:
public function rules() { return ar
Page 57 and 58:
Nota: Para fazer com que a variáve
Page 59 and 60:
A Página de Login com Erros A part
Page 61 and 62:
NamePriceCountDescription
Page 63 and 64:
usuário e senha para o acesso. Uma
Page 65 and 66:
Depois que o método CDbCommand::qu
Page 67 and 68:
Para mais detalhes sobre a vincula
Page 69 and 70:
• where: specifies the WHERE part
Page 71 and 72:
For example, array('in', 'id', arra
Page 73 and 74:
join and its variants function join
Page 75 and 76:
$sql = Yii::app()->db->createComman
Page 77 and 78:
uild and execute the following SQL:
Page 79 and 80:
CREATE TABLE `tbl_user` ( // `id` i
Page 81 and 82:
the new column name. The query buil
Page 83 and 84:
Below is an example showing how to
Page 85 and 86:
Dica: Existem duas maneiras de trab
Page 87 and 88:
class Post extends CActiveRecord {
Page 89 and 90:
$post=Post::model()->find(array( 's
Page 91 and 92:
Validação de Dados Ao inserir ou
Page 93 and 94:
$model=Post::model(); $transaction=
Page 95 and 96:
Named scopes podem ser parametrizad
Page 97 and 98:
Informação: O suporte à chaves e
Page 99 and 100:
Informação: Uma chave estrangeira
Page 101 and 102:
$posts=Post::model()->with( 'author
Page 103 and 104:
Informação: Quando o nome de uma
Page 105 and 106:
Deve ser um vetor com pares nome-va
Page 107 and 108:
The required name parameter specifi
Page 109 and 110:
Sometimes, we may only want to appl
Page 111 and 112:
yiic migrate up --migrationPath=ext
Page 113 and 114:
• CZendDataCache: utiliza o Zend
Page 115 and 116:
value irá expirar em 30 segundos /
Page 117 and 118:
usuários. Para armazenar em cache
Page 119 and 120:
A configuração acima, faz com que
Page 121 and 122:
Nota: O path alias ext está dispon
Page 123 and 124:
public function behaviors() { retur
Page 125 and 126:
Controle Um controle, fornece um co
Page 127 and 128:
• An extension should be self-con
Page 129 and 130:
method invocations, we can start ou
Page 131 and 132:
A console command should extend fro
Page 133 and 134:
Testes Visão Geral Note: The testi
Page 135 and 136:
$yiit='path/to/yii/framework/yiit.p
Page 138 and 139:
Tip: Having too many fixture files
Page 140 and 141:
public function testApprove() { //
Page 142 and 143: class PostTest extends WebTestCase
Page 144 and 145: array( ...... 'components'=>array(
Page 146 and 147: array( 'posts'=>'post/list', 'post/
Page 148 and 149: We first need to configure the Web
Page 150 and 151: class UserIdentity extends CUserIde
Page 152 and 153: Although Yii has measures to preven
Page 154 and 155: The access rules are evaluated one
Page 156 and 157: a permission that is atomic. For ex
Page 158 and 159: $auth=Yii::app()->authManager; $aut
Page 160 and 161: Default roles must be declared in t
Page 162 and 163: WebRoot/ assets protected/ .htacces
Page 164 and 165: eturn array( 'components'=>array( '
Page 166 and 167: If we create a widget with a set o
Page 168 and 169: To use message routing, we need to
Page 170 and 171: array( ...... 'preload'=>array('log
Page 172 and 173: Yii defines two exception classes:
Page 174 and 175: Web Service Web service is a softwa
Page 176 and 177: To complete the example, let's crea
Page 178 and 179: class PostController extends CContr
Page 180 and 181: When translating a message, its cat
Page 182 and 183: '1#one book|n>1#many books' Plural
Page 184 and 185: The CDateFormatter class mainly pro
Page 186 and 187: // body content for the widget //
Page 188 and 189: Yii represents each console task in
Page 190 and 191: yiic sitemap index --type=News --li
Page 194 and 195: etrieve the cookie with the specifi
Page 196 and 197: Note: The scriptMap feature describ
show all

O Guia Definitivo do Yii 1.1

Create successful ePaper yourself

Delete template?

Save as template?