escaping $_GET variable

$model->room_name = $_GET[‘roomname’];

In this line of code, is $_GET being escaped?

Not in that line of code, but when you run $model->save() the attributes inserted into the db will be sanitized.

What do you mean by “sanitized”? Attributes won’t be modified in any way unless some validation filters are applied. But there is no need to worry about sql injections, because interanlly PDO prepared statements are used. The exception is using CDbCriteria.condition like "id = ".$_GET[‘id’]. That’s not safe at all :)

Sorry about my misuse of ‘sanitized’ which might lead you to believe that it will strip HTML for you or something like that.