Avoiding User Input Issues

Yii 2.0 General Discussions
1

I’m wanting advice as to the proper way to handle function arguments. With a controller action such as

public function actionPrintInvoice($id = false)
    {
        if (!$id) {
            throw new NotFoundHttpException(Yii::t('app', 'Invalid Request.'));
        }

        $id = HtmlPurifier::process($id);

        $modelInvoice = $this->findModel($id);
        $modelInvoiceItems = $modelInvoice->invoiceItems;
        return $this->render('print', [
            'modelInvoice' => $modelInvoice,
            'modelInvoiceItems' => (empty($modelInvoiceItems)) ? [new InvoicesItems] : $modelInvoiceItems,
        ]);
    }

Is using HTMLPurifier the proper route? Is simply using PHP’s is_numeric() too ‘weak’ from a security standpoint? Just looking for a Best Practice approach that I can universally implement to try and minimize issues.

2

Hi @DBCreator,

There’s no need to use HtmlPurifier. Even a call to is_numeric() is redundant in this use case. As long as you are to use ActiveRecord methods only, you don’t have to worry about the user input for the query parameters.

https://www.yiiframework.com/doc/guide/2.0/en/security-best-practices#avoiding-sql-injections

2 Likes
3

Thank you for all your help softark!