Security: Mysq injection

olemara · October 2, 2011, 4:58pm

Hi guys,

I have a question regarding mysql injection, basically how to protect against it

So I know that before saving a model, prevention is taken against injection by Yii. I have also read somewhere that "prepared statements" also does this out of the box (?).

I have tried using the mysql_real_escape_string function, but get the error complaining about username/password NO. In this case I got the app->db and set the connection to active (and some other options) to get a connection, because I think that is the problem. Got an idea about how to open a db connection to be able to run the function?

And, when using CDbCriteria->params, is it safe regarding injection? Any best practices when it comes to this issue and Yii?

Any thoughts are appreciated

Ole M

sensorario · October 2, 2011, 5:36pm

This may cause problems due to sql injection:


$criteria->addInCondition('field', $fieldValue);

but in this way you are secure:


$criteria->addInCondition('field', ':field');

$criteria->params = array(':field' => $fieldValue);

sensorario · October 2, 2011, 5:39pm

And here you can read all you need. "http://www.yiiframework.com/doc/guide/1.1/en/database.dao" In particular:

olemara · October 6, 2011, 6:00pm

Thanks for your reply, I will use that approach.