I’ve seen the following code: $id = $_GET[user]; $auth = $_GET[id]; $sql = ‘DELETE

Question

0

Asked: May 28, 20262026-05-28T08:24:45+00:00 2026-05-28T08:24:45+00:00

I’ve seen the following code: $id = $_GET[user]; $auth = $_GET[id]; $sql = ‘DELETE

0

I’ve seen the following code:

$id = $_GET["user"]; 
 $auth = $_GET["id"]; 
 $sql = 'DELETE FROM categories where user_id = '.$id.' and category_id = '.$auth;          
 Yii::app()->db->createCommand($sql)->execute();

I’ve been told that this code isn’t ok, because it couldn’t allow sql injection.

Is it because of the $_GET not being properly filtered ?

Wouldn’t the Yii::app()->db->createCommand($sql)->execute(); avoid that ?

Or when we arrive there, we should already check the data that is placed on the where clause ?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-28T08:24:46+00:00

The first rule of data security for Web application is to never “trust” GET/POST parameters.

Your code is not attempting to “sanitize” the two GET parameters which your are building an SQL statement with. This means someone can manipulate the URL to “inject” a second (or more) SQL statement into what your are executing. The best way to avoid SQL injection attacks is to use queries that “bind” their parameters thus ensuring you can only be running a single query. The yii documentation on how to use bound parameters is available at the following URL (item #5)

http://www.yiiframework.com/doc/guide/1.1/en/database.dao

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’ve seen the following code: $id = $_GET[user]; $auth = $_GET[id]; $sql = ‘DELETE

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply