Is the following code secure against the SQL injection?
$criteria = new CDbCriteria();
$arySort= json_decode($_GET['sort']);
$criteria->order= $arySort[0]->property . ' ' . $arySort[0]->direction;
Person::model()->findAll($criteria);
If not, what should I do to make sure there is no danger in the "order" property of the CDbCriteria object?
Should I use regular expression to filter the "order" property for characters only (a-z) or mysql_real_escape_string?
mazraara
(Mazraara)
February 10, 2013, 8:59am
2
Is the following code secure against the SQL injection?
$criteria = new CDbCriteria();
$arySort= json_decode($_GET['sort']);
$criteria->order= $arySort[0]->property . ' ' . $arySort[0]->direction;
Person::model()->findAll($criteria);
If not, what should I do to make sure there is no danger in the "order" property of the CDbCriteria object?
Should I use regular expression to filter the "order" property for characters only (a-z) or mysql_real_escape_string?
Yii use PDO to handle database… so no need to worry about escaping characters which is automatically done.
in your case, i think a regular expression would do the needful. ex - [color="#800000 "][font="Consolas, Menlo, Monaco,"]/^[a-zA-Z]+$/[/font][/color]
ref - http://de2.php.net/m …-statements.php
Thank you Azy for your answer, but note the PDO is useless in the “ORDER BY …” clause because you can’t use bind parameters in the “order by column_name”.
The PDO and the bind parameters are useful in the "WHERE" condition only.