Cakephp security concepts

• Protecting against Cross site scripting (XSS)

For sanitization against XSS it’s generally better to save raw HTML in database without modification and sanitize at the time of output/display.

We can use

$this->data = Sanitize::clean($this->data, array('encode' => false));

In either  beforeSave()  or afterFind() menthods. It is good to sanitize in the afterFind() method of the Model. This would be called after a search, which you are probably doing before displaying your data.

To sanitize in a view, you should use the CakePHP convenience function is a short cut for htmlspecialchars, which will render all attempts at XSS completely harmless.  This wouldn't physically remove the XSS code, but just present it in a way that cannot harm your application.

echo h('<script>alert("xss");</script>');

Would produce

<script>alert('xss');</script> 

To protect from Cross Site Request Forgery You have to add the Security component to the $components array of your controller(s):

public $components = array('Security');

CakePHP will then automatically add a nonce to your form when you use the Form helper to create your forms.When using the Security Component you must use the FormHelper to create your forms. The Security Component looks for certain indicators that are created and managed by the FormHelper (especially those created in create() and end()). Dynamically altering the fields that are submitted in a POST request (e.g. disabling, deleting or creating new fields via JavaScript) is likely to trigger a black-holing of the request. See the $validatePost or $disabledFields configuration parameters.

• Protecting against SQL injection

CakePHP already protects you against SQL Injection if you use CakePHP's ORM methods (such as   find()  and save()) and proper array notation  (ie.  array('field' => $value))  instead of raw SQL.

save(array $data = null, boolean $validate = true, array $fieldList = array());

Featured above, this method saves array-formatted data. The second parameter allows you to sidestep validation, and the third allows you to supply a list of model fields to be saved. For added security, you can limit the saved fields to those listed in $fieldList.

If $fieldList is not supplied, a malicious user can add additional fields to the form data (if you are not using Security component), and by this change fields that were not originally intended to be changed.

It is important to note, that updateAll() does not escape the fields, so be cautious when using it. Using the SecurityComponent you get automatic form spoofing protection. Data validation is a big integrated part of  models. The AuthComponent hashes and salts passwords properly.