CakePHP

Preventing Cross-site Scripting (XSS) with CakePHP 2.x

Without proper care, developers can leave their CakePHP website open to cross-site scripting attacks. Controllers using scaffold functions do not take care to sanitize data, and leaves the website vulnerable. When using the bake tool in the console, it generates controllers as simple as the scaffold version. Some suggest storing the unsanitized data and escape the dangerous characters on output. In a perfect world I would agree with this approach, but it is easy to forget to sanitize output every time, or for an amateur developer to be ignorant of the dangers.

AJAX Pagination and Sorting with CakePHP 2.x

CakePHP comes with a core JsHelper that allows a developer to call PHP functions that will create the JavaScript using a number of libraries including jQuery and Prototype. Pagination in CakePHP is a very common task and it can be enhanced using AJAX. Fortunately the Pagination component/helper are built to handle the AJAX. You can set the pagination defaults in the controller with the code below. Alternatively you could set specific elements of the array inside an action with a call like $paginate['conditions'] = array();

AJAX Form Submit with CakePHP 2.x

CakePHP has some great tools for a PHP developer to crank out JavaScript functions using only PHP. The JsHelper supports Prototype/Scriptaculous, Mootools/Mootools-more, and jQuery/jQuery UI. Refer to the CakePHP Book for details on all the functions provided by the JsHelper. In this example we're going to look at a creating a contact form that submits via AJAX, but also works properly for users without JavaScript.

Writing Secure Code with CakePHP 2.x Forms

CakePHP is one of my favorite web frameworks. There is one glaring security hole that caught my attention though. Without proper care from the developer, users have the potential to tamper with data sent with forms. For example, a common operation is to take the value from a form and save it like this:

$this->User->save($this->request->data['User']);

Let's say the user manipulates the form and adds this line:

CakePHP vs Drupal

There are many PHP frameworks out there, but 2 of my personal favorites are Drupal and CakePHP. WordPress is another popular in the world, and I have done many projects with it. I will say that WordPress has great documentation and a clean API, but it is rather limited in its capabilties. CakePHP and Drupal have proven to be flexible, scalable, and perfect for certain uses. The bottom line in this debate is that both are great, and both serve their purposes. Between CakePHP and Drupal, I feel a project of any size can be accomplished.