Is The "order" Property Secure?

whitemartyr · February 9, 2013, 7:13am

Is the following code secure against the SQL injection?


$criteria = new CDbCriteria();

$arySort= json_decode($_GET['sort']);

$criteria->order= $arySort[0]->property . ' ' .  $arySort[0]->direction;


Person::model()->findAll($criteria);

If not, what should I do to make sure there is no danger in the "order" property of the CDbCriteria object?

Should I use regular expression to filter the "order" property for characters only (a-z) or mysql_real_escape_string?

mazraara · February 10, 2013, 8:59am

Luay Essa:

Is the following code secure against the SQL injection?
$criteria = new CDbCriteria();

$arySort= json_decode($_GET['sort']);

$criteria->order= $arySort[0]->property . ' ' .  $arySort[0]->direction;


Person::model()->findAll($criteria);
If not, what should I do to make sure there is no danger in the "order" property of the CDbCriteria object?

Should I use regular expression to filter the "order" property for characters only (a-z) or mysql_real_escape_string?

Yii use PDO to handle database… so no need to worry about escaping characters which is automatically done.

in your case, i think a regular expression would do the needful. ex - [color="#800000"][font="Consolas, Menlo, Monaco,"]/^[a-zA-Z]+$/[/font][/color]

ref - http://de2.php.net/m…-statements.php

whitemartyr · February 10, 2013, 9:19am

Thank you Azy for your answer, but note the PDO is useless in the “ORDER BY …” clause because you can’t use bind parameters in the “order by column_name”.

The PDO and the bind parameters are useful in the "WHERE" condition only.