I am taking id to my action action1my as action1my($id)
Then I am running a CDBcriteria like
$criteria->compare('id', $id, false, 'AND');
Is this okay or does it need some validation?
I am taking id to my action action1my as action1my($id)
Then I am running a CDBcriteria like
$criteria->compare('id', $id, false, 'AND');
Is this okay or does it need some validation?
It’s OK since PDO prepared statement is used in this case and no classical SQL injection is possible.
actually that s not true. the cdbcriteria compare does not prevent sql injection.
and how is that possible? as far as I know - compare function uses named parameters in sql query which prevents from doing sql injection… could you provide some example of how you can inject something in such scenario?