Is SQL injection or hacking possible in the Yii web application? - yii

I am new in Yii. I want to know is SQL injection or any hacking possible in the Yii web application? If possible how to avoid that problem?

Yes. Any "hacking" is possible in any web application.
Because no software makes an application safe, but a programmer. Yii is only a tool, but how to use it is entirely up to one who uses it.
So, you have to learn how to use Yii and technology and security basics in general. Without such education that cannot be done by means of asking and answering just one question, one cannot create a safe application.
To make this answer not entirely off topic, as long as you're using Yii ActiveRecord, you can consider your code SQL injection safe, because AR takes the trouble of creating SQL queries for you.

Yeah. It depends to the programmer how he/she use the code, If executed correctly.. Try to read the document of Yii, they show it how to use the code properly and to make it anti sql injection.

Yes. The saying "Security is insecurity." is a big issue in web security.
Everything is hack-able, but it depends on the security of system & performance of the device trying to hack. If the hacker trying to hack a website by a Normal PC may takes Millions of year, but using a Quantum Computer may break within a second.
In case of web application build from Yii PHP Framework, it may also be hack-able. Some how this framework provides strong security measures.

Related

Web Application Interface to SQL Queries

Looking for advice on web development languages/tools for a simple project. I have used HTML to create simple sites before but they were primarily just static information. I have no experience with web scripting, etc. at this point.
Our company has a half dozen or so Transact SQL queries that produce simple text reports from our SQL Server database. I would like to create a simple web type application so that users on our intranet can run these queries themselves vs. asking for what they need.
The queries require minimal input from the user. Typically they would only need to enter a start and stop date or a customer number, or an invoice number.
The application needs to be functional, not especially pretty. I want the user to be asked for the above type input as appropriate and then specify where a file with the reults should be written on their computer.
On other projects I have done some Python programming in conjunction with the SQL Server database, just nothing that interacts with a web site or that has a GUI.
Thank you in advance for your suggestions.
You'll very least need to know a server side language such as PHP or Python to make the queries. Maybe a CGI script?
Most commonly used, I believe, is PHP. It is well-documented and meant for the what you want to do, contrary to Python, which doesn't play as nice with HTML as PHP. As stated on the PHP website, it is quite popular and as such has quite a few tutorials online. After you understand the syntax - you said you have programmed in Python, so only the syntax would be new to you - you should look into how to connect with your SQL Server. Microsoft owns that, so I hope (for them) they explain it well enough: http://technet.microsoft.com/en-us/library/cc793139(v=sql.90).aspx. That should equip you with what is needed for what you describe in the question.
I found this question as well: Can PHP work with a MS SQL database. The accepted answer suggests you can use PDO as well to connect to SQL Server. I recommend PDO over the mssql_ functions, because it offers an object oriented API and and an API that makes prepared statements real easy, among others.

Web CMS vs API vs Framework - HELP?! :(

I posed this question to my lecturer, but I would also like a variety of answers in order to better understand this conundrum of mine. Here is the original message with names omitted.
Hi **,
Thank you for your intro lecture today, I look forward to the work involved in the coming weeks.
I am however, rather confused regarding the terms CMS, API and Framework. The internet isn't providing much help either because these terms get thrown a lot and often for the very same thing!
A have a bit of background in LAMP web development, and I will provide a hypothetical scenario, where hopefully you can tell me where these terms would fit in.
I am using LAMP (Linux web server with Apache, MySQL and PHP).
I am developing a website whereby the public can watch movies (umm... ignore the legal issues, purely hypothetical and for educational purposes of course!)
I create my MySQL database using phpMyAdmin, and tables will involve 'users', 'categories', 'content' etc.
I now create an 'admin control panel (CP)' which I will refer to as the back-end. Authorised users, depending on their access levels (as determined by their account in the 'users' table) can add/edit/delete various things. These changes are reflected on what I call the front-end.
The front-end is the public facing website, whereby the public visit this website to watch films of their choice.
The back-end (i.e. the Admin CP) controls/regulates the content of users and pretty much everything. Over time, the developers could add more features to this for more functionality. E.g. a comments. Alternatively, a developer could use the Facebook comments API to include into every 'film' page on the front-end, this makes it a lot easier.
Now back to the main question at hand, is this a web CMS? Where would an API fit into this? Is this a framework?
Note: I'm not using anything like WordPress or Joomla etc., it's all custom coded by myself. Using PHP and HTML5, CSS3, maybe a bit of jQuery too, and of course SQL statements via PHP to interact with the MySQL database.
I appreciate your help in this confusion of mine.
Thanks,
EDIT: I have commented my thoughts based on Justin's input. If I'm on the right track let me know, cheers.
Thanks for the post.
The three terms you have stated are used quite often around the web, and they are always changing. First you have a CMS, CMS stands for Content Management System, like above you have stated Wordpress and Joomla. That is where someone has already created the software to create a site/blog without having to mess with PHP, MySQL, and Apache. You are merely doing anything on the front-end, just simply posting your content, and making it live. The software does all of the back-end work for you.
API, simply put. Open-source "plug-in" which allows the user to integrate a service or application into their site or application for use.
Framework, Like Bootstrap, created by Twitter. A Web Framework is an easy way to develop a site on the front-end. It gives the learning amateur a chance at developing the front-end while learning great concepts along the way.

Embedded SQL editor for web pages

We are developing a web application in Java/Java EE where users should be able to type in the SQL queries, and should be able to see syntax coloring, table view, content help etc.
Please suggest any third party tools which can be embedded into webpages which does this.
The closest thing I can find is this http://archive.eso.org/wdb/html/wdb.html. I have never used it and it may require an interface implentation for the specific DB you use (see the dev section http://archive.eso.org/wdb/html/doc/WDB/node1.html).
I think the problem is most web front ends specialise in one particular DBMS instead of being agnostic and most are not written in a way that enables components to be dropped into other applications.
The WDB code may give you a starting point on coding this yourself though.
Is there are particulare DBMS that you need to support?
You might have more joy looking into available third party SQL parsers and hooking them up in a web page with AJAX. I would expect any third party library worth it's salt to already try and detect SQL injection but it would be wise to verify that's the case.

Rapid web application development with a Web Toolkit

I spend a lot of time (actually too much time) developping back-office applications whose main purpose is content management and web application configurations. Here is how I can describe these apps :
- Made with PHP
- Using a MySQL or Postgres or SQLite database
- Made of a lot of pages and features
- Very simple features, mostly data CRUD (create+read+update+delete into the database)
- Mostly made of forms
- UIs are usually quite simple (html + css + very basic javascript)
All of the data access code in these apps relies on a library I developped years ago and re-use every time I can. This part is not time-consuming.
What's time-consuming is the UI part, and mostly designing data-lists and forms. Using a WYSIWYG editor would make a lot of sense here, except those I tried (Dreamweaver, Frontpage, Expression, Eclipse, ...) don't really make it much faster, because the generated code is often bloated, and these tools can't rely on custom libraries such as the one I made and use.
I figured using a Web Tookit could be another way to spend less time developping these tools. So before I spend too much time looking for the perfect toolkit, I would appreciate your opinions and experiences on that kind of matter.
Disclaimer : I'm not looking for advices on how MVC is the way to go and how CodeIgniter/Zend/WhatEver is the framework I should use. My question is not about the frameworks or the design patterns I should build my applications upon. My question is about using the right tool to make simple web-applications development faster, and their code even more re-usable.
Is there an awesome web-application RAD tool I don't know about ?
Which toolkit do you use for simple but form-heavy web applications ?
Are there good, light, non-bloated, reliable toolkits written in PHP ?
Thanks in advance !
Edit : Not getting much feedback so far :/ I'm aware that my question is very broad, but I'm sure lots of people work on the same kind of projects I'm talking about, and have improved their productivity by using toolkits such as GWT, Wicket and such. Tell me about it, please :)
September 28 edit : Thanks everyone for the interesting answers. What I'm looking for is not covered by any framework I could try in the past months. PHP is probably not the best language to use for my vision of RAD, but since it's a language I know very well, and since I don't want to spend too much time learning Python as well as I know PHP (for the moment), I decided to do it by myself. Everytime I have a specific need for a widget, I code it in the most re-usable way...so far so good :)
I might open-source that toolkit at some point, and will let you guys know.
The PHP project I've been working on the past few years is a lot like that. Heavy on forms, heavy on server-side logic, but lots of redundant form coding. Too make matters worse, it wasn't all forms, sometimes we actually need to do fancy layout (even just doing a tree control is a pain without a library), and the home-grown nature of the UI meant that I would be battling browser quirks from start to finish.
So, I got to thinking about what a better architecture would be. We needed very powerful form controls, rich grids, rich trees, advanced layout, and we needed to migrate to that gradually. None of the PHP frameworks seemed to fit. Then I took a step back and realized that it didn't have to be PHP, it could be javascript also. We already had a requirement on javascript, so it was fine to go the distance with it. First I looked at the smaller libraries, jquery, prototype, but it became obvious that they didn't do enough. So I looked at Dojo, ExtJS, YUI, all the really heavy javascript toolkits, and settled on ExtJS as having the best controls.
We had a UI structure that relied heavily on iframes, a navigation frame on the outside, application frames inside that, feature frames inside that, and so on. What we ended up with is we're migrating those from the outside in. It's all becoming ExtJS, and it's all living in the same page. The server-side code is kept the same, but it's migrated into web services. At the same time we've integrated zend framework, and are porting some of the stuff you really shouldn't do home-grown to it, like authentication and translation.
The end goal is being able to write just the business logic without having to mess with all the boilerplate. It's too early to know if my approach will pan out, but I think my message would be to be critical towards your code base and decide which parts you want to keep writing yourself, and which parts you want to outsource to a library.
Please try http://agiletoolkit.org/. I think it's what you need. Results with minimum time/code.
At the moment I'm using a solid forms class to render HTML forms with client- and server-side validation, and a database class to write the SQL. I can get a CRUD section of my admin console up in about 10 lines of code. I wrote those classes myself so I can re-use them in all my projects. Hopefully that gives you some ideas?
I would stay away from WYSIWYG tools personally.
I'm testing NuBuilder.com, I discovered it does
within days, at first looks promising. If you take a look
please send me your feedbacks!
Maybe adopt or create an "app-based" infrastructure like Django's? In Django's case, the community has created some powerful baselines like Pinax.
I think Symfony may be the way to go because, like your apps:
it's written in PHP
ORM based on Propel/doctrine (so you can use MySQL, Postgres or SQLite)
Architecture and patterns used will help you with complex applicatons
You'll find tools helping you to debug, document, and test your application
Forms creation, validation, l10n & i18n, testing, AJAX is easy (forms within symfony explained here, check it out)
prototyping you webpages while developing your application is easy
Other tools/practices implemented in the symfony framework that will make your life easy:
full configuration using YAML syntax (easy to read and understand)
the scaffolding feature generates for you a simple CRUD interface for editing your data.
you don't have to worry about coding form sanitization, security, caching, ACL; configuration is needed, but no heavy coding.
The only downside, you need to read some documentation to understand "the symfony way of doing things". But hey, a good framework is 20% code and 80% good practices.
My point is, even if you don't want to use Symfony for your project, you should check its features and built-in tools, because that's the kind of tools you want for your project.
I started using Django and it has very helpful features, esp. the built-in admin (for general CRUD stuff) and really great form-handling code & widget rendering. I'd suggest taking a look, even if you don't plan on using python, just to get an idea.
You mentioned that you don't want advice on "Use X framework", since this is more about RAD & UI/forms than system architecture. But I've found that a good framework helps just as much with the UI & forms side of things as it does the architecture. That means that while frameworks are great for big projects, they're also very helpful in reducing code redundancy. I started creating my own helper functions in PHP that I would copy from app to app that would automatically render an HTML form based on a few parameters. Even after a lot of work, this was very rudimentary compared to what Django offers, and basically I was writing my own framework.
I think you may be looking for a GUI-style tool to help, but you might find that a good PHP framework is more helpful in this case. At the very least, have you tried creating your own helper libraries? I know those helped me a lot.
Simple Example:
function renderInput($name, $value="") {
print "<input type=\"input\" name=\"" . htmlentities($name) . "\" value=\"" . htmlentities($value) . "\" >";
}
function renderRadios($name, $value="", $choices=array()) {
for ($choices as $cvalue) {
print "<input type=\"checkbox\" name=\"" . htmlentities($name) . "\" value=\"" . htmlentities($cvalue) . "\" " . ($cvalue == $value ? "checked" : "") . ">";
}
}
And build up from there. Stupid things like this tend to make form creation just that much faster. A good framework will blow this out of the water. And I'm sure the above has some typos, I haven't done PHP in a little bit.
If this isn't what you're looking for, could you add some more to the question? I'm curious.
Although you're asking for PHP + MySql, I would like to recommend you to give a try to the OutSystems Agile Platform.
You can create a simple CRUD app in less that 10 minutes and grow it as you go to a more complex system.
Download the Community Edition for free at www.outsystems.com.
Best,
Not sure but looks like Tibco General Interface (http://www.generalinterface.org ) is what your looking for.

Good database library/ORM for cocoa development

I am developing a cocoa application that will be making heavy use of both web services and a standard dbms (most likely MySQL) and I am wondering if anyone has a good option for a database library or ORM solution they have used. CoreData is not an option due to the need to support a standard DBMS and to be able to modify the data outside of the normal application operation.
I have found a number of possible options from new open source libraries:
http://github.com/aptiva/activerecord/tree/master
To writing my own wrapper for the C MySQL api.
Any advice is welcome,
Thanks!
Paul
We faced a similar question when we first started work on Checkout, our solution was to code the entire app in Python, using PyObjC.  Checkout 1 had an sqlite backend, Checkout 2 has a postgres backend.
There are a couple of really mature and powerful ORMs on the Pyton side, such as SQLObject, which is pretty simple to work with (we used it for Checkout 1.0) and SQLAlchemy, which is more powerful but a bit harder to wrap your brain around (we used it for Checkout 2.0).
One approach you could evaluate, is building the application in Objective-C, but writing the data model and database connectivity/adminstration code in Python. You can use PyObjC to create a plugin bundle from this code, that you then load into your app  That's more or less the approach we took for Checkout Server, which uses a Foundation command-line tool to administer a postgres server and the databases in it, this CLI tool in turn loads in a Python plugin bundle that has all of the actual database code in it.  End-users mostly interact with the database through a System Preferences pane, that has no clue what the database looks like, but instead uses the command-line tool to interact with it.
Loading a plugin is simple:
NSBundle *pluginBundle = [NSBundle bundleWithPath:pluginPath];
[pluginBundle load];
You will probably need to create .h files for the classes in your bundle that you want to have access to from your Obj-C code.
You might also want to check out the BaseTen framework. It is a Core Data-like framework (in fact, it can import Core Data models), but works with PostgreSQL (though not MySQL, as far as I know). It includes some very nice features such as schema discovery at run time. It also includes an NSArrayController subclass that automatically handles locking and synchronizing across multiple users, so you can continue to make use of Apples Key-value Binding in your UI.
I have personal experience with this particular problem. I even started down the road of writing my own wrapper for the C MySQL API.
The eventual conclusion was: Don't!
The solution that worked in my case was to communicate with the MySQL server via PHP. If you are familiar with web services, chances are that you know about PHP, so I don't won't go into loads of detail about that.
To read from the database:
The cocoa app sends a request for a URL on the server: http://theserver.com/app/get_values.php
The get_values.php script handles the database query, and returns the data in xml format
The cocoa app loads and parses the xml
To write to the database:
The cocoa app sends a more complex request to the server: http://theserver.com/app/put_values.php?name="john doe"&age=21&address=...
The put_values.php script parses the input and writes to the database
The beauty of this solution is that PHP is great for working with MySQL, and cocoa has some handy built-in classes for working with XML data.
edit: one more thing:
One of the key things you have to figure out with this approach is how much processing should be done on the server, and how much should be done in the app itself. Let cocoa do the things that cocoa is good at, and let PHP and MySQL do the things that they are good at.
You could write a generic PHP script to handle all queries: perform_query.php?querystring="SELECT * FROM .....", but that is hardly an optimal solution. Your best bet is several smaller PHP scripts that handle individual datasets for you. In my case, there was one to get the list of users, one to get the list of transactions, etc. Again, it all depends on what your app is going to do.
GDL2 is a nice example, based on EOF.
Instead of reinventing the wheel by writing your own communication wrapper to deal with MySQL from Cocoa, you could try the SMySQL framework (a.k.a. MCPKit), it was part of the CocoaMySQL application that evolved into the Sequel Pro project. It works with varying versions of MySQL, and seems to be quite robust.
If you need to understand how to incorporate it into your application, there's not much documentation around, but it has an easy to understand interface and you can see it working by looking at the source of Sequel Pro, which is downloadable from Google code.
There is also the CocoaMySQL-SBG fork of the CocoaMySQL project, but that seems to be out of date and I couldn't get it to build properly.
I've also implemented a simple object persistence framework based on sqlite, but it certainly wasn't trivial to do. I agree with eJames' conclusion- don't implement one yourself if you don't have to.
If you aren't committed to programming in Objective-C you might want to take a look at PyObjC which would allow you to program the database portion in Python. You can use the MySQLdb module for DB access and there are plenty of tutorials online for its use. It isn't hard to stuff the data back into Cocoa/CF classes and pass them back to your app.
The main caveat with PyObjC is that at the moment it doesn't work with Tiger.