Note: This is for CakePHP 2.x, for 3.x please see the bottom of the article. The CakePHP built in row based CRUD auth is way too powerful and way too slow and memory consuming. In 99% of all cases there…
Tag: Security
Working with passwords in CakePHP
The basics Usually, this is already well known. But.. there are still developers who actually store the password unhashed. You always have to store user passwords hashed. You can either use the still very common sha1 method (which is the…
Widgets and CSRF – How To
Outline Did you ever try to create a widget like "Facebook Like Box" or whatever for your website? Did you try to include it in a foreign page with some JS code? If you use iframes, this is trivial. But…
Preventing Brute Force on Login
With default cake login procedures a user could try unlimited passwords to one specific account. That means, if you write a bot that tries every possible combination (thousand times per minute!), this bot could eventually gain access to the account….
CakePHP Security
When I first started with CakePHP I didn’t know about those things, either. Everything was new and I was overwhelmed by all the functionality of the framework. The basic rule is: Validate input, escape/sanitize output Input I already wrote an…
Saving Model Data and Security
In google groups there are quite a few discussions every month about security against (primary key) injection, xss or other things. And yes, the default templates will not protect you from any of this. They are meant to produce quick…