CDbCommand bind param if exists

reanimator · May 4, 2015, 9:06pm

Is there a way to bind a param to the query only if it exists.

I tried the andWhere() (using v 1.1.15), and it does not appear to apply the filter correctly. I am binding variables to the command for static variables which are required.

I pass a filter to the server like this:

    if(is_array(&#036;_POST['filter'])){


        foreach(&#036;_POST['filter'] as &#036;key=&gt;&#036;value){


            if(&#036;value == ''){continue;}


            echo 'binding '.&#036;key;


            &#036;command-&gt;andWhere(&#036;key.' = :'.&#036;key, array(&#036;key=&gt;&#036;value));


        }


    }

Am I doing things correctly. Does this type of query expose me to sql injection?

georaldc · May 4, 2015, 11:27pm

Not an expert in SQL injection but maybe? Since your allowing the outside world to not only pass in values (which parameter binding should take care of), but your also accepting data to define what keys/columns to search for. I don’t think think the DB Command class would escape the condition string parameter, though I may be wrong.

What are you trying to build? Does it have to be as dynamic as what you are creating here?

reanimator · May 5, 2015, 11:30am

Thanks for the reply. I opted to go away from using the command and to using a criteria. I’ve changed the code to this, and it’s working as expected. I’d still like advice on if it’s vulnerable to injection, or if Yii somehow will sanitize the conditions.


        if(is_array($_POST['filter'])){

            foreach($_POST['filter'] as $key=>$value){

                if($value == ''){continue;}

                $criteria->addCondition($key.' = :filter'.$value);

                $criteria->params[':filter'.$value] = $value;

            }

        }