I’m a little unclear. Does getQueryParam() sanitize user input, or does it return raw data that needs to be sanitized via htmlspecialchars() after being called?
I didn’t see this in:
I’m a little unclear. Does getQueryParam() sanitize user input, or does it return raw data that needs to be sanitized via htmlspecialchars() after being called?
I didn’t see this in:
Looking at the framework source code at vendor/yiisoft/yii2/web/Request.php (and pasted below) it does not appear any sanitization is being performed.
private $_queryParams;
/**
* Returns the request parameters given in the [[queryString]].
*
* This method will return the contents of `$_GET` if params where not explicitly set.
* @return array the request GET parameter values.
* @see setQueryParams()
*/
public function getQueryParams()
{
if ($this->_queryParams === null) {
return $_GET;
}
return $this->_queryParams;
}
Okay, good to know. I’ll have to sanitize it manually. Thanks!