Can someone please summarize on how I should treat $_GET paramaters in terms of security. I am creating some urls by assigning $_GET parameters directly in the CHtml::link and I am also executing some queries in widgets, which use GET parameters directly in the query and I am worried about the security side of all this. If someone can summarize how I should escape all GET values please.
Basically in sql queries we should use bindValue or bindParam to avoid sql injection attack. This comment was posted a year ago. I would like to know if anything has changed since then. And also how to escape $_GET parameters if used directly in links or text.
When using DAO, you need to use bindParam/bindValue in order to prevent SQL injections, as described here under “Binding Parameters”. When using ActiveRecords, you don’t have to care about SQL injections since Yii does all the param-binding internally.
When using $_GET parameters in html, you have to make sure the data does not contain malicious code like "<script>…". You can do it this way:
Additionally, I would like to know when I should use the CHtmlPurifier. Is there a specific case where it should be used. I don’t remember qiang using it in the blog demo?
Using parameter binding is safe, yes. You don’t have to mess around with any additional function like addslashes() or mysql_real_escape_string(). Just make sure you really always bind the needed params and don’t write them directly into the sql query string. As I said that only counts for DAO, not for ActiveRecord.
The way you use the CHtml::link() is safe. What you also can do is this:
When encode is set to true, all values of the htmloptions you define (in this case the value of "id") will be auto-encoded. Means less writing when you assign many htmloptions.
With CHtmlPurifier you can basically auto-encode a whole page or only parts of a page (like a comments list). So there’s no need for CHtml::encode($comment->text); anymore. But it’s slower than encode(). The nice thing however is that you may allow defined htmltags when using the Purifier. I’ve never used that so I can’t give an example. You may look here under “options” and here for more info about the purifier.
does not work. It throws a syntax error which I am unable to identify.
Error:
CDbCommand failed to execute the SQL statement: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':id' at line 1