Working with passwords in CakePHP


The basics Usually, this is already well known. But.. there are still developers who actually store the password unhashed. You always have to store user passwords hashed. You can either use the still very common sha1 method (which is the…

Preventing Brute Force on Login


With default cake login procedures a user could try unlimited passwords to one specific account. That means, if you write a bot that tries every possible combination (thousand times per minute!), this bot could eventually gain access to the account….

CakePHP Security


When I first started with CakePHP I didn’t know about those things, either. Everything was new and I was overwhelmed by all the functionality of the framework. The basic rule is: Validate input, escape/sanitize output Input I already wrote an…

Saving Model Data and Security


In google groups there are quite a few discussions every month about security against (primary key) injection, xss or other things. And yes, the default templates will not protect you from any of this. They are meant to produce quick…