Html::encode() in Active Record and andFilterWhere()

Questions · August 2, 2023, 6:08am

Hi, I have a model and controller. Is it necessary to use Html::encode() in the Active Record class and for andFilterWhere() to avoid SQL injection

For Active Record as below

$countTalukas = Taluka::find()->where(['DistrictId' =>\yii\helpers\Html::encode( $id)])->count();

$talukas = Taluka::find()->where(['DistrictId' => \yii\helpers\Html::encode($id)])->all();

For andFilterWhere() in model search

 $query->andFilterWhere([
            'TalukaId' => \yii\helpers\Html::encode($this->TalukaId),
            'DistrictId' => \yii\helpers\Html::encode($this->DistrictId),
        ]);

softark · August 2, 2023, 11:15pm

No, you don’t have to do it. The query builder behind ActiveRecord will take care of it.

The only exception is when you want to use a raw string format.

Questions · August 3, 2023, 7:08pm

Ok, thanks for the reply

rob006 · August 5, 2023, 4:18pm

Html::encode() should not by used as a protection against SQL Injection - even if it works, it will generate invalid queries in some cases.

softark · August 6, 2023, 1:32pm

Ah, yes, @rob006 is right.

Html::encode() is meant for escaping output.
The primary method against SQL Injection in Yii is the use of prepared statement.

Please check the following section of the Guide.