Im only using the h() function when displaying it on the admin zone(so the admin session its valid) but i dont know if thats enough or im
missing something.
-
Protect against SQL injection by using bind variables in your code.
-
When you populate your model object from form use attr_protected to prevent malicious users from accessing fields that are not intended for users to populate (like approved, paid field etc)
-
Always check the id parameter to make sure that id parameter belongs to that user to avoid exposing records that belongs to other users.
-
Protect all methods that are not supposed to be invoked from the URL by using protected or private key word for those methods.
-
Don’t run ftp server or echo server on your production machine.
-
Use https protocol for sensitive data
-
Don’t cache authenticated pages.