Yii Framework Forum: Sql Injection On Insert Data - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Sql Injection On Insert Data Rate Topic: -----

#1 User is offline   dstudio 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 40
  • Joined: 14-October 11

Posted 09 May 2013 - 05:02 PM

Hello.

When I want to select some data from database, I am using this piece of code:

$blog=Blog::model()->cache(3600, $dependency)->find('t.seo=:seo', array(':seo'=>$seo));


And that is OK (in security context - I guess).

But I have a problem when I want to insert new data:

$model= new Blog;
        
if(isset($_POST['Blog'])){
        $model->attributes=$_POST['Blog'];
        $model->save();
}


Is this OK? Because I don't know... Its safe? Because I am not using addslahes() blabla. When I'm validating, its not possible to insert some string into integer type, but, what when its string?

Thanks.
0

#2 User is offline   jacmoe 

  • Elite Member
  • Yii
  • Group: Moderators
  • Posts: 2,601
  • Joined: 10-October 10
  • Location:Denmark

Posted 09 May 2013 - 05:18 PM

Find CSafeContentBehavior. :)
"Less noise - more signal"
0

#3 User is offline   Tsunami 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 150
  • Joined: 16-February 12

Posted 09 May 2013 - 06:21 PM

It's not a problem, Yii uses PDO with prepared statements, which escapes everything for you. And if you were using addslashes() instead of mysql_real_escape_string() you were doing it wrong anyway.

CSafeContentBehavior is for XSS, not SQL injection. As long as you use CHtml::encode() for your output this isn't a problem.
0

#4 User is offline   jacmoe 

  • Elite Member
  • Yii
  • Group: Moderators
  • Posts: 2,601
  • Joined: 10-October 10
  • Location:Denmark

Posted 09 May 2013 - 06:24 PM

Tsunami is right: Yii is generally safe in use.
"Less noise - more signal"
0

#5 User is offline   dstudio 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 40
  • Joined: 14-October 11

Posted 10 May 2013 - 08:18 AM

View PostTsunami, on 09 May 2013 - 06:21 PM, said:

It's not a problem, Yii uses PDO with prepared statements, which escapes everything for you. And if you were using addslashes() instead of mysql_real_escape_string() you were doing it wrong anyway.

CSafeContentBehavior is for XSS, not SQL injection. As long as you use CHtml::encode() for your output this isn't a problem.


Thank you very much. So, when I am selecting I just need to use something like this:

Quote

$blog=Blog::model()->cache(3600, $dependency)->find('t.seo=:seo', array(':seo'=>$seo));


And that's ok (I am talking just about sql injection).
0

#6 User is offline   Keith 

  • Elite Member
  • Yii
  • Group: Moderators
  • Posts: 1,670
  • Joined: 04-March 10
  • Location:UK

Posted 10 May 2013 - 09:26 AM

That's fine, as is:
$blog=Blog::model()->cache(3600, $dependency)->findByAttributes(array('seo'=>$seo));

0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users