What exactly does sanitize input? Is it just a CDbCriteria object? Is directly setting attributes without setAttributes() or ar->attributes = array(‘foo’=>‘bar’) safe to do? Sorry, just looking for some more clarification.
Even if you bind your params you are NOT safe for xss attacks.
You need to filter the user input before you go with it to be saved into database.
If, for example, your $_POST[‘something’] = ‘<script>alert(1);</script>’; then even if you bind the param, this will not be safe, and when you echo it in frontend it will display the alert.
Use something like HTML Purifier or any other solid xss filter library to clean the input from users first, then after the input is cleaned of malicious code you can save it to database by binding the necessary params .
Brother, i am totally new in yii. So your above conversation, i didnt understanding. Please can you tell me my code below, is either sql proof or not? thanks<tanim>
public function actionView()
{
$this->render('view',array(
'model'=>$this->loadModel(),
));
}
public function actionCreate()
{
$model=new Admin;
// Uncomment the following line if AJAX validation is needed
// $this->performAjaxValidation($model);
if(isset($_POST['Admin']))
{
$model->attributes=$_POST['Admin'];
if($model->save())
$this->redirect(array('view','id'=>$model->id));
}
$this->render('create',array(
'model'=>$model,
));
}
If I’ve pulled up a row using a model, is it safe to set fields on the model directly from $_POST or $_GET and then save? Will Yii take care of DB escaping when I do the save? What about using the model methods with GET or POST?
I would be interested in how secure the findByPk() part of the code is. Since it uses CDbCriteria I would assume it to be safe.
What I did not expect though, is that the url “/whatever?objectId=14abc” still perfectly manages to load Object with ID 14, just as “/whatever?objectId=14” does… (in the code it is just $_GET[‘objectId’])
i am using yii 1.1.16 and i used Active records like find and findbyatt. with bind paras. but its not capable of protect me from ‘1’=’1′; — sql injection. what should i do?