Securing Applications

The ORM will quote any values that are passed as condition values automatically in order to
protect your application from injection attacks.

However you cannot rely on this feature if you use user input in any other place of a query. The
following example shows how untrusted user input can be used safely used to specify the set of
fields to be retrieved. As a countermeasure we first check if the provided field actually exists.

if (!Posts::hasField($field)) {
}
Posts::find('first', [
    'fields' => [$field, 'title']

The FormSignature class cryptographically signs web forms, to prevent adding or removing
fields, or modifying hidden (locked) fields.

To enable form signing in a view, simply call $this->security->sign() before generating your
form. In the controller, you may then validate the request by passing $this->request to the
check() method.

Inside the view:

Inside a controller action:

if ($this->request->is('post') && !FormSignature::check($this->request)) {

To prevent your application from opening up to the so called mass assingment vulnerabilty,
the framework provides you with the whitelist feature. This whitelist can be used to limit the set of fields which get updated during create or update operations.

$data = [
    'name' => 'John Doe',
    'email' => 'haxx0r@example.org' // Added by the attacker.
];
$user = Users::findById($authed['user']['id']);

As a countermeasure additionally use the whitelist feature. So that in this
case really just the name field gets updated.

into how many people aren’t properly securing their mongo databases. The study found that over 40,000 sites using MongoDB didn’t correctly configure their databases to use a password so that a malicious user could connect without any verification. When putting your database system online, make sure that you properly configure your database so that it is secure.