Avoiding SQL injections

silly question about avoiding SQL injections, I think my app is doing okie but just checking to make sure it is what I think it is :)

Have a button , on click will open a modal that has a comment.

User enter comment, then click submit.

Behind the scene, an ajax post request send out to register the comment.

Here is my backend

$item = Item::findOne($id);

if ($item === NULL) return 0;

$item->comment = Yii::$app->request->post('comment');


if the bad guys try to SQL injection, am I safe from the wrath of my boss ?

Make proper validation rule for ‘comment’ and you are good to go.

here is my rule, is it good enough ?

    public function rules()


        return [

            [['project_id', 'name', 'status'], 'required'],

            [['comment'], 'string', 'max' => 1024],



You are not save here from XSS attacks. Consider using HTMLPurifier filter on this attribute as well.

I just want to make sure HTMLPunifier must be used only for inserting and updating the database?

Yes, you don’t want to use it every time you render view because it slows the process. Use it once, save result.

or limit html tags needed for commentand strip the rest!