Massive assignment is not the default value of 'on'. It will be created only for fields that have passed some validation rule explicitly .
$model->attributes = $_GET[ 'Submission' ];
equivalent to this code,
$model->attribute1 = $_GET['Submission']['attribute1'];
$model->attribute2 = $_GET['Submission']['attribute2'];
$model->attribute3 = $_GET['Submission']['attribute3'];
XSS, SQL Injection, , ;
XSS, SQL Injection, CHtmlPurifier, HTML . CHtmlPurifier, - , XSS.
, ,
public function rules(){
return array(
array('username, password, salt, email', 'required'),
array('username, password, salt, email', 'length', 'max'=>128),
array('first_name,last_name,username,email','safe','on'=>'search'),
);
}
$model->attributes = $_GET[ 'Submission' ];
username email , first_name, last_name , .
, , , , ,
public function rules(){
return array(
array('username, password, salt, email', 'required'),
array('username, password, salt, email', 'length', 'max'=>128),
array('first_name,last_name','safe','on'=>'create,update'),
array('first_name,last_name,username,email','safe','on'=>'search'),
);
}
, XX. XSS , ,
public function rules(){
return array(
array('username, password, salt, email', 'required'),
array('username, password, salt, email', 'length', 'max'=>128),
array('first_name,last_name,username,email','filter'=>array($obj=new CHtmlPurifier(),'purify')),
array('first_name,last_name,username,email','safe','on'=>'search'),
);
}
first_name, last_name, username, email XSS, SQL .
Tl; DR