Difference between #11 and #13 of
How to write secure Yii applications

Revision #13 has been created by Boaz on Nov 19, 2012, 2:24:57 PM with the memo:

utilizing the recommendation to cast to int suggested above...
« previous (#11) next (#15) »


Title unchanged

How to write secure Yii applications

Category unchanged


Yii version unchanged

Tags unchanged

security, authorization, authentication, XSS, SQL injection

Content changed

$messages = array("Rock'n roll", 'Say "hello"');
$title = "D'accord";
Yii::app()->clientScript->registerScript('snippet', "
function displayMsg() {
var messages = <?php echo
CJavaScript::encode($messages); ?>; var title = '<?php echo CJavaScript::quote($title); ?>';
// ...
// still lacks validation, but more secure
(int)$_GET['id'])->delete(); $comments = Comment::model->findAllByAttributes(array('user_id' => (int)$_GET['id']);

This is a general principle: if you build your SQL condition in pure text, you take more risks than a more PHP approach.
For most DB functions, **prefer array parameters to string parameters**.
Here is another example using PHP arrays:
80 0
Viewed: 250 888 times
Version: 1.1
Category: How-tos
Written by: François Gannaz
Last updated by: François Gannaz
Created on: Nov 22, 2011
Last updated: 4 years ago
Update Article


View all history