windman
May 15, 2009, 1:57pm
1
Hi,
a part of post controller:
$post=new Post;
if(isset($_POST['Post']))
{
$post->attributes=$_POST['Post'];
if(isset($_POST['submitPost']) && $post->save())
$this->redirect(array('show','id'=>$post->id));
}
is it SQL Injection proof?
Second question:
$criteria=new CDbCriteria;
$criteria->params = array(":id"=>1);
$records=fpost::model()->findAll($criteria);
$criteria->params does not work. I get no error, but I should get only one record (with id=1), I get all…
qiang
May 15, 2009, 2:35pm
2
Yes. Internally, AR will use prepared statement and bind those input parameters. Also, before saving, you should have a set of rules to validate those parameters.
windman
May 15, 2009, 2:38pm
3
Quote
Yes. Internally, AR will use prepared statement and bind those input parameters.
and when my model is an instance of 'CFormModel' not AR?
qiang
May 15, 2009, 2:39pm
4
Then you have neither save() nor SQL.
windman
May 15, 2009, 2:45pm
5
Quote
Then you have neither save() nor SQL.
Let's say I have a code:
$form = new myCFormModel;
if(isset($_POST['myCFormModel']))
{
$form->attributes=$_POST['myCFormModel'];
if($form->validate()){
$criteria=new CDbCriteria;
$critera->condition = "id='{$form->searchId}'";
$myARrecords=myAR::model()->findAll($criteria);
}
}
and it isn not SQL Injection proof…
qiang
May 15, 2009, 3:08pm
6
That's your responsibility. You should write:
$criteria->condition='id=:id';
$criteria->params=array(':id'=>$form->searchId);
