Hi,
I often use these kind of access rules :
array('allow',
'actions' => array('create'),
'expression' => 'Yii::App()->user->hasPermission(Permissions::PERM_DIR_CREATE, $_GET[\'pid\'])'
),
I wonder if it’s safe to use directly $_GET.
I use model validation rules before modifying the db but it happens later.
How can I validate get/post inputs as soon as possible, before checking access rules ?
Thanks
No, using $_GET directly is not safe. You need to sanitize user input first.
What’s the cleanest way to do that with Yii ?
Depends on what type of value you are expecting.
I assume you need an integer then you could do it easily like this:
intval($_GET['pid'])
or
(int) $_GET['pid']
So, your code would look like this:
array('allow',
'actions' => array('create'),
'expression' => 'Yii::App()->user->hasPermission(Permissions::PERM_DIR_CREATE, ' . (int) $_GET['pid'] . ')'
),