SQL Injection Attacks

Does yii prevent injection attacks automatically or do I need to enter code to prevent them?


It is a good start to use the framework as shown in the guide.

Do not forget to validate fields and use prepared statements when querying the database.

Yii add slashes before saving attributes. For search statement, use parameters:

$criteria->addcondition("field= :field");


Whit such configuration yii prevents from sql injection.

If you use somthing like:

$criteria->addcondition("field= $userInputedField");

You are resposible for the content of $userInputedField (i.e: is dangerous)

zaccaria made it more clear :)

You won’t use prepared statements directly, but will use parameters, as he said above.

Also, I’d like to add that Yii uses parameters (then prepared statements) when saving an active record.

So, should we do array_walk to addslashes every parameters comping from and activerecord post?!