Safety of passed in variables


I am ajaxing form varibales up to a controller action and inserting them into the db thus…

if ( isset( $_POST[‘User’]) ) {

$modelUser = new User;

$modelUser ->attributes = $_POST[‘User’];

$modelUser ->save();


I wonder if anyone can tell me if variables assinged via ->attributes are safe (filtered for sql injection attempts etc) for db insertion as they are or if I need to filter them myself.



These aren’t filtered (if rule isn’t filtering these) but generally are safe in terms of SQL injection because Yii uses prepared statements. Still you need to take care about XSS and stuff.


Yii extensions for filtering user inputs:

fantastic - thank you