php - updates secure from sql injections in yii -


could please tell if these 2 fragments of code secure in yii. fragent 1:

 $numberofrows = $this->updateall(array('full_path' => $target, 'title' => $name,                'machine_name' => $name), 'full_path = :path', array(':path' => $path));

should escape $target , $name in query?

fragment 2:

$sql = "update folders"; $sql .= " set full_path = concat('" . $target . "',substr(full_path, " . (strlen($path)  + 1) . ", length(full_path)-1))"; $sql .= " full_path '" . $path . "%'"; $command = $this->dbconnection->createcommand($sql); $command->execute();

should escape $target , full_path here using cdbconnection::quotevalue() or in these 2 fragments? 1 how escape path in fragment 2 avoid issues special symbols used (%, _).

i made changes fragment 2 using binds , escaping %_:

$sql = "update folders"; $sql .= " set full_path = concat(:target, substr(full_path, " . (strlen($path) + 1) . ", length(full_path)-1))"; $sql .= " full_path  :pathfilter"; $command = $this->dbconnection->createcommand($sql);  //escape %_ can used in sql expression $pathfilter = addcslashes($path, '%_') . '%';  $command->bindparam(":pathfilter", $pathfilter, pdo::param_str); $command->bindparam(":target", $target, pdo::param_str);  $command->execute();

is correct? there more elegent way it?

speaking of more elegant ways, can avoid named parameters, dramatically shorten code:

$sql  = "update folders set"; $sql .= " full_path = concat(?, substr(full_path, ?, length(full_path)-1))"; $sql .= " full_path ?";  //escape %,_ , \ can used in sql expression $pathfilter = addcslashes($path, '\%_') . '%'; // i've added slash here  $command = $this->dbconnection->createcommand($sql); $command->execute([$target, strlen($path) + 1, $pathfilter]);

Comments

Post a Comment

Popular posts from this blog

java.util.scanner - How to read and add only numbers to array from a text file -

i'm learning java , have question regarding reading file want read numbers file contains strings well. here example of file: 66.56 "3 java 3-43 5-42 2.1 1 and here coding: public class test { public static void main (string [] args){ if (0 < args.length) { file x = new file(args[0]); try{ scanner in = new scanner( new fileinputstream(x)); arraylist<double> test = new arraylist<>(); while(in.hasnext()){ if(in.hasnextdouble()){ double f=in.nextdouble(); test.add(f);} else {in.next();} } catch(ioexception e) { system.err.println("exception during reading: " + e); } } my problem add 66.56,2.1 , 1 doesn't add 3 after "3 or ignores 3-43 , 5-42 can tell me how skip strings , add doubles here? thanks all said 3 ie; "3, 3-43 , 4-42 strings either u read string , split , check number @ " , - or put in space between characters , integers. jvm after compilation tre...
Read more

rewrite - Trouble with Wordpress multiple custom querystrings -

i'm working on adding multiple querystring , doesn't seem work. i've found codes seems work others might i'm missing something. i want like: http://mydomain.com/board/?getyear=2013&getsometext2=sometext to http://mydomain.com/board/2013/sometext/ i added code below functions.php file. doesn't seem work should though. this works. echoing querystring gets both variable without problem. http://mydomain.com/board/2013/sometext/ but doesn't. tested querystring vis isset() seems nothing being set/get http://mydomain.com/board/2013/ function add_query_vars($vars) { $vars[] = "getyear"; $vars[] = "getsometext2"; return $vars; } add_filter('query_vars', 'add_query_vars'); function add_rewrite_rules($arules) { $anewrules = array('board/([^/]+)/([^/]+)/?$' => 'index.php?pagename=board&getyear=$matches[1]&getsometext2=$matches[2]'); $arules = $a...
Read more