Answer the question
In order to leave comments, you need to log in
D
D
Dmitry2018-03-23 17:35:19
Dmitry, 2018-03-23 17:35:19
How to upgrade from 2.0.13.1 correctly?
Good afternoon.
Please help me with the update.
The Yii team has released a set of important security updates to the framework and extensions.
I am using 2.0.13.1.
According to the recommendations in the article on habrahabr , to update my version, you must use the command
composer require "yiisoft/yii2":"~2.0.13.2". After executing this command, the application has been updated to version 2.0.13.3. If you use the command
composer update, then the version is updated to 2.0.15.1 , and after the update, warnings and recommendations for editing the code are displayed in the console.Console
Seems you have upgraded Yii Framework from version 2.0.13.1 to 2.0.15.1.
Please check the upgrade notes for possible incompatible changes
and adjust your application code accordingly.
Upgrade from Yii 2.0.14
-----------------------
* When hash format condition (array) is used in `yii\db\ActiveRecord::findOne()` and `findAll()`, the array keys (column names)
are now limited to the table column names. This is to prevent SQL injection if input was not filtered properly.
You should check all usages of `findOne()` and `findAll()` to ensure that input is filtered correctly.
If you need to find models using different keys than the table columns, use `find()->where(...)` instead.
It's not an issue in the default generated code though as ID is filtered by
controller code:
The following code examples are **not** affected by this issue (examples shown for `findOne()` are valid also for `findAll()`):
```php
// yii\web\Controller ensures that $id is scalar
public function actionView($id)
{
$model = Post::findOne($id);
// ...
}
```
```php
// casting to (int) or (string) ensures no array can be injected (an exception will be thrown so this is not a good practise)
$model = Post::findOne((int) Yii::$app->request->get('id'));
```
```php
// explicitly specifying the colum to search, passing a scalar or array here will always result in finding a single record
$model = Post::findOne(['id' => Yii::$app->request->get('id')]);
```
The following code however **is vulnerable**, an attacker could inject an array with an arbitrary condition and even exploit SQL injection:
```php
$model = Post::findOne(Yii::$app->request->get('id'));
```
For the above example, the SQL injection part is fixed with the patches provided in this release, but an attacker may still be able to search
records by different condition than a primary key search and violate your application business logic. So passing user input directly like this can cause problems and should be avoided.
You can find the upgrade notes for all versions online at:
https://github.com/yiisoft/yii2/blob/2.0.15.1/framework/UPGRADE.mdTell me, how, after all, is it correct to upgrade from 2.0.13.1? Will there be any problems if I upgrade immediately to 2.0.15.1?
1 answer(s)
@webinar
they are always output in the latest versions. So what? Only the findOne methods have changed there. I don’t think it’s a long time to fix the project, go through the folder with controllers and that’s all. Why are you updating?
M
Maxim Timofeev, 2018-03-23 @webinar
warnings are displayed in the console
they are always output in the latest versions. So what? Only the findOne methods have changed there. I don’t think it’s a long time to fix the project, go through the folder with controllers and that’s all. Why are you updating?
Similar questions
Y
E
A
M
G
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question