Sql Injection On Insert Data

Hello.

When I want to select some data from database, I am using this piece of code:




$blog=Blog::model()->cache(3600, $dependency)->find('t.seo=:seo', array(':seo'=>$seo));



And that is OK (in security context - I guess).

But I have a problem when I want to insert new data:




$model= new Blog;

        

if(isset($_POST['Blog'])){

        $model->attributes=$_POST['Blog'];

        $model->save();

}



Is this OK? Because I don’t know… Its safe? Because I am not using addslahes() blabla. When I’m validating, its not possible to insert some string into integer type, but, what when its string?

Thanks.

Find CSafeContentBehavior. :)

It’s not a problem, Yii uses PDO with prepared statements, which escapes everything for you. And if you were using addslashes() instead of mysql_real_escape_string() you were doing it wrong anyway.

CSafeContentBehavior is for XSS, not SQL injection. As long as you use CHtml::encode() for your output this isn’t a problem.

Tsunami is right: Yii is generally safe in use.

Thank you very much. So, when I am selecting I just need to use something like this:

And that’s ok (I am talking just about sql injection).

That’s fine, as is:




$blog=Blog::model()->cache(3600, $dependency)->findByAttributes(array('seo'=>$seo));