Improper Error Handling 典型攻击 n 注入类（以其人之道还治其人之身） q SQL注入 q OS命令注入 q LDAP注入 q 远程文件包含 n 绕过防御类（凌波微步） q 目录遍历 q 不安全对象引用 n 跨站类（隔山打牛） q 跨站脚本 q 跨站请求伪造 n 资源消耗类（吸星大法）

CSV files, LDAP entries, or iCal events. DataSources allow you to associate records from different sources: rather than being limited to SQL joins, DataSources allow you to tell your LDAP model that it interested in writing datasources for external sources of data, such as remote REST APIs or even an LDAP server. So that’s what we’re going to look at now. Basic API For DataSources A datasource can, and create custom authorize objects in your application or plugins. If for example you wanted to create an LDAP authorize object. In app/Controller/Component/Auth/LdapAuthorize.php you could put the following:

you might write additional DataSources that allow your models to represent RSS feeds, CSV files, LDAP 26 Chapter 1. Getting Started CakePHP Cookbook Documentation, Release 2.x entries, or iCal events from different sources: rather than being limited to SQL joins, DataSources allow you to tell your LDAP model that it is associated with many iCal events. Like controllers, models have callbacks: • beforeFind() interested in writing datasources for external sources of data, such as remote REST APIs or even an LDAP server. So that’s what we’re going to look at now. Basic API For DataSources A datasource can, and

create custom authorize objects in your application or plugins. If for example, you wanted to create an LDAP authorize object. In src/Auth/LdapAuthorize.php you could put the following: namespace App\Auth; BaseAuthorize { public function authorize($user, ServerRequest $request) { // Do things for ldap here. } } Authorize objects should return false if the user is denied access, or if the object by including them in your AuthComponent’s authorize array: $this->Auth->config('authorize', [ 'Ldap', // app authorize object. 'AuthBag.Combo', // plugin authorize object. ]); Using No Authorization

create custom authorize objects in your application or plugins. If for example, you wanted to create an LDAP authorize object. In src/Auth/LdapAuthorize.php you could put the following: namespace App\Auth; extends BaseAuthorize { public function authorize($user, ServerRequest $request) { // Do things for ldap here. } } Authorize objects should return false if the user is denied access, or if the object is them by including them in your AuthComponent’s authorize array: $this->Auth->config('authorize', [ 'Ldap', // app authorize object. 'AuthBag.Combo', // plugin authorize object. ]); Using No Authorization

create custom authorize objects in your application or plugins. If for example, you wanted to create an LDAP authorize object. In src/Auth/LdapAuthorize.php you could put the following: namespace App\Auth; BaseAuthorize { public function authorize($user, ServerRequest $request) { // Do things for ldap here. } } Authorize objects should return false if the user is denied access, or if the object including them in your AuthComponent’s authorize array: $this->Auth->setConfig('authorize', [ 'Ldap', // app authorize object. 'AuthBag.Combo', // plugin authorize object. ]); Using No Authorization

create custom authorize objects in your application or plugins. If for example, you wanted to create an LDAP authorize object. In src/Auth/LdapAuthorize.php you could put the following: namespace App\Auth; extends BaseAuthorize { public function authorize($user, ServerRequest $request) { // Do things for ldap here. } } Authorize objects should return false if the user is denied access, or if the object is by including them in your AuthComponent’s authorize array: $this->Auth->setConfig('authorize', [ 'Ldap', // app authorize object. 'AuthBag.Combo', // plugin authorize object. ]); 278 Chapter 10. Controllers