Is this secure code?


(Luxiga) #1

Hello.

Can you comment, please, is this secure code?


$userid=Yii::app()->user->id;

$sqlCommand = "SELECT mail FROM user WHERE id = ".$userid." ";

$this = Yii::app()->db->createCommand($sqlCommand)->queryScalar();

Or I can more secure connect to DB directly?


(Marcelo de Andrade) #2

What do you mean with "connect to DB directly"?


(demonking) #3

No, it’s not…
Please use bindValue()

https://www.yiiframework.com/doc/api/2.0/yii-db-command#bindValue()-detail