Answer the question
In order to leave comments, you need to log in
Is the request secure?
I apologize in advance for the stupid question. Everyone used to ask stupid questions.
Is this kind of query safe?
Model::find()->where(["=", "city", $_COOCKIE['city']])->all();
and this save
$model->city = $_COOCKIE['city'];
$model->save();
And if not, what to do with it (as you understand, if you can set validation rules on the save, then there are no validation rules on where)
Answer the question
In order to leave comments, you need to log in
Is this kind of query safe?
Model::find()->where(["=", "city", $_COOCKIE['city']])->all();
inserting data received from the user into the request is a bad practice and it is better not to do this at all. As for security, SQL injection in a query of this kind cannot be done, because built-in query builder escapes data.and this save
$model->city = $_COOCKIE['city'];
$model->save();
it all depends on many factors: what type of data the attribute can take, what validation rules are provided for it in the model, what you do next with this attribute (how you screen it on the output). For example, if a parameter can take a string and in the model you validate it as a simple string, but you don’t escape its output anywhere, this is already a security hole
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question