0

I have this code in my controller:

class ArchController extends Controller
{
public function actionIndex(string $date, array $rubric_id )
{
   $articles = Article::find()->where('published < :date', [':date' => $date])
                               ->andWhere(['in', 'rubric', $rubric_id])
                               ->andWhere('ISNULL(arch)')->all(); 
...

It seems to me it is not safe because $rubric_id is user input. How can I make parametr binding, something like this:

':rubric_id' => $rubric_id
Improve this question
2
  • how come the input $rubric_id is an array ? is it like some multi-select dropdown that you are submitting with mulitple id's as an array ? Commented Sep 8, 2019 at 13:34
  • Yes, it's multi-select dropdown. Commented Sep 12, 2019 at 9:16

1 Answer 1

Reset to default
2

Yii uses parameter binding internally, so it is safe to use ->andWhere(['in', 'rubric', $rubric_id]). You can review implementation of InConditionBuilder to make sure of that.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.