CModel 与 CFormModel 与 CActiveRecord
我正在 yii 中构建一个数据库密集型应用程序.所以性能和安全性自然是一个问题.除此之外,表单验证也是一个主要标准.为了安全起见,我计划对所有 Sql 查询使用参数绑定.对于验证,我想使用 Yii 提供的验证器,而不是推出我自己的 .我知道 CActiveRecord 会影响性能.所以我计划为我所有的表创建 Cmodel 类,在这些各自的模型中定义验证规则,并定义函数来执行 sql 查询以检索和插入数据.我在网站上的所有数据收集主要是通过表单(大约 95%),我应该使用 Cformmodel ,我不太明白 Cmodel 和 Cformmodel 之间的区别,使用 .
I am building a db intensive application in yii . So performance and security are naturally a concern . Apart from that form validation is also a major criteria . For security I plan to use parameter binding for all Sql Queries . For validation I want to use validators provided by Yii instead of rolling out my own . I am aware that performance takes a hit with CActiveRecord . So I plan to make Cmodel classes for all my tables , define validation rules in these respective models and also define functions to perform the sql queries for retrieval and insertion of data . All my data collection on the website is primarily through forms (about 95%) , should I use Cformmodel , I dont really understand the distinction between Cmodel and Cformmodel , is there any performance hit in using either .
同样为了防止 XSS 攻击,我想使用 HTML purify 包装器作为验证规则,因为我几乎到处都读到过这个包装器的性能不好,即使我将它用作验证规则也会很糟糕吗?即使我正在净化输入,我是否应该使用 Chtml::Encode 显示我的输出文本?
Also to prevent XSS attack I want to use HTML purify wrapper as a validation rule , since I read almost everywhere that performance is bad for this wrapper , is it going to be bad even if I use it as a validation rule ? And should I be displaying my output text using Chtml::Encode even though I am purifying the input ?
我处理数据的粗略计划是:
My rough plan to deal with the data is :
$users= new Users() ; //Users is extending CModel , contains validation rules
$users=getdata(Yii->app->userid()) ;
if(isset('update'))
{
if($users->validate())
{$users->updatedata() ; }
}
$this->render('users','data'=>$users)
推荐答案
CFormModel 继承自 CModel,CModel 只是一个泛型的 Model 类,使用 CFormModel 没有性能差异,如果您使用 CFormModel 更适合您的应用程序不打算使用 CActiveRecord.
CFormModel inherits from CModel, CModel is just a generic Model class, there are not performance differences in using CFormModel, which is what would suit more for your application if you don't plan to use CActiveRecord.
对于执行 sql 查询的函数",希望您指的是存储过程,否则不会有那么大的性能提升,即便如此,编写自己的 SQL 查询仅用于插入和检索单个模型也无济于事.我的建议是你在意后者的表现.一旦你真的有需要改进的地方.
For 'functions to perform sql queries' hopefully you mean stored procedures, other wise there is not that big performace gain, even then, writing your own SQL queries only for insertion and retrieval of single models doesn't help much. My advice is that you care about performance latter on. once you really have something to improve upon.
净化输入与编码不同,使用HTML净化您可以消除有害的html以防止XSS或其他您不想允许的标签.但例如,字符串仍然可以包含 ( ' ).CHtml::encode 所做的,它只是生成等效的 HTML,以便您获得 html 实体.
Purifying the input its different from encoding, with HTML purify you eliminate harmfull html to prevent XSS or other tags you dont want to allow. but a string could still contain ( ' ) for example. what CHtml::encode does, its just generating the HTML equivalent, so that you get html entities instead.
相关文章