Cactiverecord::findbypk()

dhiman252 · September 5, 2014, 1:40pm

i am using findByPk method for retriving the results from the database.

This method is working wrong. i supply the parameter as $id=1 for this statement

echo "<pre>"; print_r(User::model()->findByPk($id));

It gives me the result.

But when i input the parameter as $id=1dsdasad; to the below statement

echo "<pre>"; print_r(User::model()->findByPk($id));

It still fetches the record from the database;

findByPk() method is working like the ‘like’ query!!

Keith · September 5, 2014, 1:54pm

I suspect that because PDO is expecting an integer, it’s using PHP’s type conversion functions to change that string into an integer. PHP will just take the leading digits and ignore any remaining junk, so in your case, it’s taking the 1 from the beginning and ignoring everything else.

You can see how PHP converts strings to numbers here.

dhiman252 · September 5, 2014, 2:10pm

ok… then how can this be corrected ??

findByAttributes() is also behaving in the same way.

Is there any other way to achieve the results ??

Keith · September 5, 2014, 2:29pm

There are several ways.

You could introduce a test to make sure the value you’re using matches the expected format before attempting to do the lookup:




    public function actionTest($id)

    {

        if (!preg_match('/^\d+$/', $id))

            throw new CHttpException(400, 'Invalid request.');


        ...

    }

You might want to wrap the logic up in a separate class and method.

The question is, do you really need to worry about it? Does it matter that "1dsdasad" returns the record with ID 1?

dhiman252 · September 5, 2014, 2:44pm

yes i am really worried about this because i am creating an api and i has sensitive data.

i have print the validators using the below statement

echo "<pre>"; print_r(User::model()->findByPk($id)->validators );

Now can you please tell me that how can i use the CNumberValidator to validate this id as input before fetching the results ?

Keith · September 5, 2014, 3:09pm

My point is, if the person using your API has access to the record with ID 1, then it doesn’t matter whether they pass the number or that string. No changes are being made.

When updates are performed, each field that can be massively assigned is validated to prevent any badly formatted values. There is no risk when simply fetching the record.

Validators are not used (for this very reason) when fetching records.

The simplest option is to validate the value in your action, as the model isn’t designed to do what you’re attempting.

alirz23 · September 6, 2014, 4:22am

if you created your crud with gii it will provide you with performAjaxValidation method in your controller you can comment that and in your model you can add the rules you need as simple as that


$this->performAjaxValidation($model);


/**

     * Performs the AJAX validation.

     * @param Post $model the model to be validated

     */

    protected function performAjaxValidation($model)

    {

        if(isset($_POST['ajax']) && $_POST['ajax']==='post-form')

        {

            echo CActiveForm::validate($model);

            Yii::app()->end();

        }

    }

dhiman252 · September 6, 2014, 6:58am

alirz23:

if you created your crud with gii it will provide you with performAjaxValidation method in your controller you can comment that and in your model you can add the rules you need as simple as that
$this->performAjaxValidation($model);
/**

     * Performs the AJAX validation.

     * @param Post $model the model to be validated

     */

    protected function performAjaxValidation($model)

    {

        if(isset($_POST['ajax']) && $_POST['ajax']==='post-form')

        {

            echo CActiveForm::validate($model);

            Yii::app()->end();

        }

    }

I have done in the same manner. Thanks Keith and alirz23