sql injections

From what I understand, Yii was set up to prevent sql injections due to model posting. However, when running an Acunetix scan on my site (development mode), it is claiming a successful injection on our registration page (email form input). I can’t replicate the error (ie, the form correctly has an error validation since the sql injection is not valid email address). Has anyone experienced this or can comment on Yii as relates to SQL injections if we are using the Yii framework standard model->table mapping, so no actual SQL commands in our code)? Thanks.

its will be better if you will show us some code that its "injectable"

This is what the Acunetix report shows. To be clear, I haven’t been able to replicate the injection myself, so trying to understand how/why Acunetix can do it.



URL encoded POST input User%5bemail%5d was set to 'and(select 1 from(select count(*),concat((select


),CHAR(48)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by


Injected pattern found: 4CuGY3wjGP0


POST /testit2/index.php?r=user/create HTTP/1.1

Content-Length: 745

Content-Type: application/x-www-form-urlencoded

Cookie: PHPSESSID=s5ncs4pfvtr3oj4ctcoacu24i6;



Host: www.XXXXXXXX.com

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Accept: */*

(line truncated)



Request headers




CSRF_TOKEN=4fb7cac0c60f6fe3bd94a729d74e3e78410cd9c0&yt0=Sign Up!

ok, can you show us the code that you programed? now from the software but the relevant php code