Avoiding User Input Issues

I’m wanting advice as to the proper way to handle function arguments. With a controller action such as

public function actionPrintInvoice($id = false)
        if (!$id) {
            throw new NotFoundHttpException(Yii::t('app', 'Invalid Request.'));

        $id = HtmlPurifier::process($id);

        $modelInvoice = $this->findModel($id);
        $modelInvoiceItems = $modelInvoice->invoiceItems;
        return $this->render('print', [
            'modelInvoice' => $modelInvoice,
            'modelInvoiceItems' => (empty($modelInvoiceItems)) ? [new InvoicesItems] : $modelInvoiceItems,

Is using HTMLPurifier the proper route? Is simply using PHP’s is_numeric() too ‘weak’ from a security standpoint? Just looking for a Best Practice approach that I can universally implement to try and minimize issues.

Hi @DBCreator,

There’s no need to use HtmlPurifier. Even a call to is_numeric() is redundant in this use case. As long as you are to use ActiveRecord methods only, you don’t have to worry about the user input for the query parameters.



Thank you for all your help softark!