Suggestion For Security

corbeereasearch · November 4, 2012, 5:42am

Hi,

I need to create a custom sql string due because I need to split phrases into words(via explode function) and use LIKE-OR for each words.

the query is something like this:


$query = "the select statement";

$where = "the where statement";


if (!empty(table->field) $where .= 'where statement';


if (!empty(table->field1) $where .= 'additional where statement';


return $query.$where;

Are there some available Yii functions for pure string queries or do I have to use third party functions for sql injection?

Thanks

redguy · November 4, 2012, 8:55am

use sql params. then you do not have to escape anything:




$command = Yii::app()->db->createCommand( 'SELECT custom.fields FROM xxx WHERE xxx.field = :param1 AND xxx.field2 LIKE :param2' );


$result = $command->query( array( ':param1'=>'aaaaa', ':param2'=>'%' . $_GET['xxx'] . '%' ) );

corbeereasearch · November 4, 2012, 11:35am

redguy:

use sql params. then you do not have to escape anything:




$command = Yii::app()->db->createCommand( 'SELECT custom.fields FROM xxx WHERE xxx.field = :param1 AND xxx.field2 LIKE :param2' );


$result = $command->query( array( ':param1'=>'aaaaa', ':param2'=>'%' . $_GET['xxx'] . '%' ) );

Thanks! Didn’t thought of that.

redguy · November 4, 2012, 11:48am

And if you really need quoting for some reason, there are functions id CDbConnection object:




$db = Yii::app()->db;


$val = $db->quoteValue( 'value' );

$table = $db->quoteTableName( 'table_name' );

$col = $db->quoteColumnName( 'column' );