Avoiding SQL injections

nguyendh · August 7, 2015, 10:35pm

silly question about avoiding SQL injections, I think my app is doing okie but just checking to make sure it is what I think it is

Have a button , on click will open a modal that has a comment.

User enter comment, then click submit.

Behind the scene, an ajax post request send out to register the comment.

Here is my backend





$item = Item::findOne($id);

if ($item === NULL) return 0;


$item->comment = Yii::$app->request->post('comment');

$item->save();

if the bad guys try to SQL injection, am I safe from the wrath of my boss ?

Bizley · August 8, 2015, 8:30am

Make proper validation rule for ‘comment’ and you are good to go.

nguyendh · August 11, 2015, 8:19pm

here is my rule, is it good enough ?




    public function rules()

    {

        return [

            [['project_id', 'name', 'status'], 'required'],

            [['comment'], 'string', 'max' => 1024],

        ];

    }

Bizley · August 12, 2015, 6:40am

You are not save here from XSS attacks. Consider using HTMLPurifier filter on this attribute as well.

camel · August 12, 2015, 8:39am

I just want to make sure HTMLPunifier must be used only for inserting and updating the database?

Bizley · August 12, 2015, 7:19pm

Yes, you don’t want to use it every time you render view because it slows the process. Use it once, save result.

evstevemd · August 13, 2015, 7:38pm

or limit html tags needed for commentand strip the rest!