Safety of passed in variables

tb67 · August 3, 2011, 4:46pm

Hi

I am ajaxing form varibales up to a controller action and inserting them into the db thus…

if ( isset( $_POST[‘User’]) ) {

$modelUser = new User;

$modelUser ->attributes = $_POST[‘User’];

$modelUser ->save();

}

I wonder if anyone can tell me if variables assinged via ->attributes are safe (filtered for sql injection attempts etc) for db insertion as they are or if I need to filter them myself.

Thanks

tb

samdark · August 3, 2011, 6:34pm

These aren’t filtered (if rule isn’t filtering these) but generally are safe in terms of SQL injection because Yii uses prepared statements. Still you need to take care about XSS and stuff.

tb67 · August 3, 2011, 6:53pm

thanks!

lubosdz · August 3, 2011, 7:25pm

Yii extensions for filtering user inputs:

http://www.yiiframework.com/extension/input/

http://www.yiiframework.com/extension/yxss-filter/

tb67 · August 4, 2011, 8:53am

fantastic - thank you