Reputation: 4773
Is yii model save() method secure?
I have a model User
assuming i have created a new object from that model
$x = new User;
and set its property from a _POST var
$x->lastName = $_POST["last_name"];
if i did a
$x->save();
would it be secured from SQL injections ?
Thank you
Upvotes: 0
Views: 1194
Answers (2)
Reputation: 6249
Yii uses PDO for connection, so yes, it would be safe from SQL injection.
But it is not safe from XSS. http://www.yiiframework.com/doc/guide/1.1/en/topics.security http://www.yiiframework.com/wiki/275/how-to-write-secure-yii-applications/#hh11
Upvotes: 2
Reputation: 17478
When you do $model->save() the model's validation kicks in first, so your variables will be validated depending on the validation rules defined in the model, if there are errors then the model won't be saved, the values won't go into your db, hence no injection.
Validation rules are defined in the model's rules array, there are already many inbuilt validation classes, here's a nice wiki article giving a primer to the validator classes.
You can also define your own validators.
So as long as you are sanitizing (or validating) your inputs you are good to go.
Upvotes: 2
Related Questions
- SQL Injection vulnerability in Yii1 framework
- Can't insert into database with save()
- Avoid sql injection in yii2
- Is SQL injection or hacking possible in the Yii web application?
- The best way to protect model->load() from saving wrong inputs
- Does Yii CActiveForm automatically sanitize user input?
- SQL Injection can occur here with Yii execute()?
- Yii framework, Login , SQL injection
- Security in the codeigniter
- Symfony/Doctrine: does model_object->save() filter value? (Prevent SQL injection)