Security: Mysq injection

Hi guys,

I have a question regarding mysql injection, basically how to protect against it :slight_smile:

So I know that before saving a model, prevention is taken against injection by Yii. I have also read somewhere that "prepared statements" also does this out of the box (?).

I have tried using the mysql_real_escape_string function, but get the error complaining about username/password NO. In this case I got the app->db and set the connection to active (and some other options) to get a connection, because I think that is the problem. Got an idea about how to open a db connection to be able to run the function?

And, when using CDbCriteria->params, is it safe regarding injection? Any best practices when it comes to this issue and Yii?

Any thoughts are appreciated

Ole M

This may cause problems due to sql injection:

$criteria->addInCondition('field', $fieldValue);

but in this way you are secure:

$criteria->addInCondition('field', ':field');

$criteria->params = array(':field' => $fieldValue);

And here you can read all you need. "" In particular:

Thanks for your reply, I will use that approach.