What's the best practise to validate GET attributes used to filter results

aaronjpitts · March 26, 2012, 2:12am

Hi,

I’m just wondering what the best practise with Yii is to validate GET attributes that are being used to filter results. If you take a look at my action index controller below, you will see I’m filtering results by the month and year.




	public function actionIndex()

	{

		

		if(isset($_GET['filter_month']) && isset($_GET['filter_year']))

		{

			$filter_month = $_GET['filter_month'];

			$filter_year = $_GET['filter_year'];

		

			$dataProvider=new CActiveDataProvider('Log', array(

			    'criteria'=>array(

			        'condition'=>"user_id='".Yii::app()->user->id."' AND (YEAR(date)='$filter_year' AND MONTH(date)='$filter_month')",

			    ),

			));

		} else

		{

			$dataProvider=new CActiveDataProvider('Log', array(

			    'criteria'=>array(

			        'condition'=>'user_id='.Yii::app()->user->id,

			    ),

			));

		}

		

		$this->render('index',array(

			'dataProvider'=>$dataProvider,

		));

	}

So what would be the best way to validate $filter_month and $filter_year to safeguard against XSS etc?

Thanks!

ivica · March 26, 2012, 3:50am

Here is idea:




public function actionIndex()

        {

                

                if(isset($_GET['filter_month']) && isset($_GET['filter_year']))

                {

                        $filter_month = $_GET['filter_month'];

                        $filter_year = $_GET['filter_year'];

                $criteria = new CDbCriteria();

$criteria->condition = "user_id = :title AND (YEAR(date)=:filter_year AND MONTH(date)=:filter_month)";

$criteria->params = array(':title'=>$_GET['title'], ':filter_year'=>$filter_year, ':filter_month' = $filter_month);


                        $dataProvider=new CActiveDataProvider('Log', array(

                            'criteria'=>array(

                                'condition'=>$criteria,

                            ),

                        ));

                } else

                {

                        $dataProvider=new CActiveDataProvider('Log', array(

                            'criteria'=>array(

                                'condition'=>'user_id='.Yii::app()->user->id,

                            ),

                        ));

                }

                

                $this->render('index',array(

                        'dataProvider'=>$dataProvider,

                ));

        }