Understanding Security Feature Relationships in CakePHP 3.x

Asked 2 years ago, Updated 2 years ago, 153 views

Thank you for your help.

Development using CakePHP 3.0 or later requires a security investigation.
For CakePHP 3.0, I'm asking because I want to know what functions to use.

1. Escape processing for SQL injection countermeasures
If the placeholder implementation is difficult, the value must be escaped, but
Does CakePHP have a function for escape processing?
I looked it up and found something called Model->find(), but is it common to use it?

2. About excluding script elements for XSS countermeasures
IPA's
How to Create a Secure Web Site
p.25
as applicable to "1.5.2 HTML Text Allowance" Do you have any functions?

3. About Cookie Settings
The httpOnly attribute is set to
Should I use CookieComponent httpOnly=>true?

4. Disable http method
To disable methods such as delete and trace
Should I use request->allowMethod?

5. About Response Header Settings
Content-Type, X-Content-Type-Options, and Content-Disposition settings are
Should I use the Cake\Http\Response class?

6. About line breaks for http header injection
Is there a function of CakePHP that checks line breaks and encodes percentages?

I'm sorry that there are so many things to check, but I appreciate your cooperation.

php cakephp

2022-09-30 21:25

1 Answers

1. Escape processing for SQL injection countermeasures
If the placeholder implementation is difficult, the value must be escaped, but
Does cakePHP have a function for escape processing?

The escape function does not appear to be in cakePHP.It seems that the policy is to use placeholders.In the case of algae, it seems that the only way to do this is to pull out PDO and DB drivers and use those escape functions directly.

I looked it up and found something called Model->find(), but is it common to use it?

find is the interface for searching.

2. About excluding script elements for XSS countermeasures

I think you can use PHP's DOMDocument.

3. About Cookie Settings
The httpOnly attribute is set to
Should I use CookieComponent httpOnly=>true?

Yes

4. Disable http method
To disable methods such as delete and trace
Should I use request->allowMethod?

Server-side restrictions.

5. About Response Header Settings
Content-Type, X-Content-Type-Options, and Content-Disposition settings are
Should I use the Cake\Http\Response class?

Yes

6. About line breaks for http header injection
Is there a function of cakePHP that checks line breaks and encodes percentages?

I think you can use the PHP function.

I have a general impression, but

  • Read the reference carefully
  • Try creating applications using the framework in tutorials, etc.
  • Learn the basics of how web applications work and security

There is a lack of basic elements such as this, and I think it will be difficult to investigate the security relationship in development using the framework.


2022-09-30 21:25

If you have any answers or tips


© 2024 OneMinuteCode. All rights reserved.