Understanding Security Feature Relationships in CakePHP 3.x

Asked 1 years ago, Updated 1 years ago, 122 views

Thank you for your help.

Development using CakePHP 3.0 or later requires a security investigation.
For CakePHP 3.0, I'm asking because I want to know what functions to use.

1. Escape processing for SQL injection countermeasures
If the placeholder implementation is difficult, the value must be escaped, but
Does CakePHP have a function for escape processing?
I looked it up and found something called Model->find(), but is it common to use it?

2. About excluding script elements for XSS countermeasures
IPA's
How to Create a Secure Web Site
p.25
as applicable to "1.5.2 HTML Text Allowance" Do you have any functions?

3. About Cookie Settings
The httpOnly attribute is set to
Should I use CookieComponent httpOnly=>true?

4. Disable http method
To disable methods such as delete and trace
Should I use request->allowMethod?

5. About Response Header Settings
Content-Type, X-Content-Type-Options, and Content-Disposition settings are
Should I use the Cake\Http\Response class?

6. About line breaks for http header injection
Is there a function of CakePHP that checks line breaks and encodes percentages?

I'm sorry that there are so many things to check, but I appreciate your cooperation.

php cakephp

2022-09-30 21:25

1 Answers

1. Escape processing for SQL injection countermeasures
If the placeholder implementation is difficult, the value must be escaped, but
Does cakePHP have a function for escape processing?

The escape function does not appear to be in cakePHP.It seems that the policy is to use placeholders.In the case of algae, it seems that the only way to do this is to pull out PDO and DB drivers and use those escape functions directly.

I looked it up and found something called Model->find(), but is it common to use it?

find is the interface for searching.

2. About excluding script elements for XSS countermeasures

I think you can use PHP's DOMDocument.

3. About Cookie Settings
The httpOnly attribute is set to
Should I use CookieComponent httpOnly=>true?

Yes

4. Disable http method
To disable methods such as delete and trace
Should I use request->allowMethod?

Server-side restrictions.

5. About Response Header Settings
Content-Type, X-Content-Type-Options, and Content-Disposition settings are
Should I use the Cake\Http\Response class?

Yes

6. About line breaks for http header injection
Is there a function of cakePHP that checks line breaks and encodes percentages?

I think you can use the PHP function.

I have a general impression, but

  • Read the reference carefully
  • Try creating applications using the framework in tutorials, etc.
  • Learn the basics of how web applications work and security

There is a lack of basic elements such as this, and I think it will be difficult to investigate the security relationship in development using the framework.

2022-09-30 21:25

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

522 Who developed the "avformat-59.dll" that comes with FFmpeg?

495 No exact matches in call to instance method 'append'

515 PHP ssh2_scp_send fails to send files as intended

519 Unable to install versioned in Google Colab

520 Scrap text information after the "View More" button when searching in the Yahoo! News search window

© 2024 OneMinuteCode. All rights reserved.