I am building a db intensive application in yii . So performance and security are naturally a concern . Apart from that form validation is also a major criteria . For security I plan to use parameter binding for all Sql Queries . For validation I want to use validators provided by Yii instead of rolling out my own . I am aware that performance takes a hit with CActiveRecord . So I plan to make Cmodel classes for all my tables , define validation rules in these respective models and also define functions to perform the sql queries for retrieval and insertion of data . All my data collection on the website is primarily through forms (about 95%) , should I use Cformmodel , I dont really understand the distinction between Cmodel and Cformmodel , is there any performance hit in using either .
Also to prevent XSS attack I want to use HTML purify wrapper as a validation rule , since I read almost everywhere that performance is bad for this wrapper , is it going to be bad even if I use it as a validation rule ? And should I be displaying my output text using Chtml::Encode even though I am purifying the input ?
My rough plan to deal with the data is :
$users= new Users() ; //Users is extending CModel , contains validation rules
$users=getdata(Yii->app->userid()) ;
if(isset('update'))
{
if($users->validate())
{$users->updatedata() ; }
}
$this->render('users','data'=>$users)
CFormModel inherits from CModel, CModel is just a generic Model class, there are not performance differences in using CFormModel, which is what would suit more for your application if you don't plan to use CActiveRecord.
For 'functions to perform sql queries' hopefully you mean stored procedures, other wise there is not that big performace gain, even then, writing your own SQL queries only for insertion and retrieval of single models doesn't help much. My advice is that you care about performance latter on. once you really have something to improve upon.
Purifying the input its different from encoding, with HTML purify you eliminate harmfull html to prevent XSS or other tags you dont want to allow. but a string could still contain ( ' ) for example. what CHtml::encode does, its just generating the HTML equivalent, so that you get html entities instead.
I have posted a link to yii forum where you can find best answer.
Yii Forum Link
CModel
Model class is base for both CFormModel
& CActiveRecord
.
CActiveRecord
is used when we perform CRUD operation with a table of a database & needs variable definition according to them.
CFormModel
is used when we don't need CRUD operation but a logical operation like Login Form. Here we don't use any table for the model.
This is called Premature Optimization Syndrome as you are blocking your development with early and unnecessary optimization.
Develop your application first with the best model/schema as you can, only after look for the bottlenecks and ways to increase performance, load time etc.
Yii implements two kinds of models:
Both extend from the same base class CModel. A form model is an instance of CFormModel. Form model is used to keep data collected from user inputs. Such data are often collected, used and then discarded. For example, on a login page, we can use a form model to represent the username and password information that are provided by an end user. For more details, please refer to Working with Form
Active Record (AR) is a design pattern used to abstract database access in an object-oriented fashion. Each AR object is an instance of CActiveRecord or its child class, representing a single row in a database table. The fields in the row are represented as properties of the AR object. Details about AR can be found in Active Record.
Source
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With