Is The "order" Property Secure?

Is the following code secure against the SQL injection?

$criteria = new CDbCriteria();

$arySort= json_decode($_GET['sort']);

$criteria->order= $arySort[0]->property . ' ' .  $arySort[0]->direction;


If not, what should I do to make sure there is no danger in the "order" property of the CDbCriteria object?

Should I use regular expression to filter the "order" property for characters only (a-z) or mysql_real_escape_string?

Yii use PDO to handle database… so no need to worry about escaping characters which is automatically done.

in your case, i think a regular expression would do the needful. ex - [color="#800000"][font="Consolas, Menlo, Monaco,"]/^[a-zA-Z]+$/[/font][/color]

ref -…-statements.php

Thank you Azy for your answer, but note the PDO is useless in the “ORDER BY …” clause because you can’t use bind parameters in the “order by column_name”.

The PDO and the bind parameters are useful in the "WHERE" condition only.