How To Makes Sure Nobody Uses Sql Injection In Yii?

please help… :(

You can try it!

this document does not mention sql injection…

to prevent sql injections you must use value quoting or (event better) named parameters. Default code uses named parameters everywhere, so the only place which may be vulnerable to sql injection is your own code or poor third party libraries.

By named parameters I mean this:

$model = Model::model()->find( array( 'condition'=> 't.param = :pvalue', 'params'=>array( ':pvalue'=>$whatever_needed ) ) );


$command = $connection->createCommand( "INSERT INTO tbl_user (username, email) VALUES(:username,:email)" );

$result = $command->execute( array( ':username'=>'aaaa', ':email'=>Yii::app()->request->getPost( 'email', '' ) ) );


also read about parameters binding:

I strongly recommend this wonderful wiki article which discusses SQL injections, and many other security related stuff in Yii.

This is what you need: