I am thinking of using cakePHP to build a web app. My question is how much of security stuff will I have to code myself to prevent (SQL injection etc)? What security stuff cakePHP takes care of by itself and what will I have to code?
A:
CakePHP itself is pretty good at it, you will not have to worry about what is submitted. But if you are using the data, everything will be of course unescaped. So a Form built from the Helper classes will be XSS safe, but once you are printing out what is int $this->data you must know and take care to escape it. h() is an often used alias for htmlspecialchars().
CakePHP has no protection against XSRF out of the box.
For ACL it provides you some components.
sibidiba
2010-09-21 16:11:35
A:
For sure it depends what is your code style and what is your understanding of the framework. For sure if you are using CakePHP function for storing data it will be pretty much ok.
But currently I am working on a paid CakePHP "Application" which is far from secure code :) So it really depend from the developer.
Nik
2010-09-21 17:25:10