I want to know whether the conventions that are followed in cake php poses any kind of security vulnerability in the web app. As in it is a convention to set id as the primary key in all the tables.So doesn't it provide a security vulnerability as any attacker will be knowing that id is the primary key in a particular table so this information can be helpful to the attacker.Similarly there are many other conventions that have to be followed which basically makes development using the framework very easy but may cause security issues in the app.
Asked
Active
Viewed 371 times
1 Answers
4
According to the OWASP security standards ... security by obscurity is not a good way of developing securely. Therefore even though the hacker knows that your primary keys are named "id" .. it shouldn't be an issue.
In fact if the hacker is able to execute some sort of malicious SQL he might as easily execute a describe table and know what the primary key is even if it is not named "id" :) ... I would rather focus on developing in such a way where no malicious scripts can be executed in the first place :)
What do you think?
Gabriel Spiteri
- 4,896
- 12
- 43
- 58
-
Yeah I agree.Thanks for the explanation and the link.I have just started working on php and frameworks and till now i am finding cake php very easy to use. – Kumar Akarsh Jun 16 '11 at 12:09
-
Yeah I have been using cakePHP for about a year now and I really have fun using it :) – Gabriel Spiteri Jun 16 '11 at 12:12
-
Oh and if you think the answer was satifactory enough, pleaes remember to tick the answer correct :). Thank you :) – Gabriel Spiteri Jun 16 '11 at 12:13
-
Oh yeah.I am new here!just did it. :) – Kumar Akarsh Jun 16 '11 at 12:17
-
Cheers mate. Welcome to SO btw :) – Gabriel Spiteri Jun 16 '11 at 12:17