Does Yii CActiveForm automatically sanitize user input?

Question

I have a basic Yii CActiveForm that I'm using to gather input from users, which then is inserted into a database [edit] via default Yii ActiveRecord models[/edit]. Like anyone, I want to make sure that a clever user doesn't drop my database via one of these fields.

The question is: does the Yii CActiveForm automatically sanitize input before it can do anything malicious? I can't find any documentation on this. Not sure if I need to spend time on it or it's already taken care of.

Thanks!

Answer 1

When you say "CActiveForm", I assume you mean using the Yii-generated models and controllers. CActiveForm doesn't automatically do any sanitizing for you, but if you use the ActiveRecord methods that Yii uses by default, it will generally do the PDO bindings for you based on the data types of each field. If you are creating your own queries using createCommand() or other method, you should define your own bindings.

If you want to see what's going on, you can turn on logging, e.g., to generate a file with the db commands, add this to your config file in the components->log array:

'components'=>array(
 'log'=>array(
  'class'=>'CLogRouter',
    'routes'=>array(    
      array(
        'class'=>'CFileLogRoute',
        'levels'=>'trace, info',
        'categories'=>'system.db.*',
        'logFile'=>'db.log',
      ),
     ...

and if you see the update statements parameterized, you can be pretty sure they are using PDO bindings, which will prevent most, but not necessarily all, SQL attacks. (By default the log file is saved in your "runtime" directory, which you can then trace out. You can also have it displayed at the bottom of the web page or FireBug with CWebLogRoute, but that won't show all commands if a page gets redirected.)

Answer 2

CActiveForm does not automatically do any sanitation of user input. That said, some are more details about Yii security:

Cross-Site Scripting Security (XSS):

The Yii Guide post about it's security features:

http://www.yiiframework.com/doc/guide/1.1/en/topics.security

To summarize the link above, you can pretty easily enable the CHtmlPurifier filter to sanitize user input before your action fires, but it's not the default behavior.

Yii also has some features you can turn on to validate cookies and prevent cross-site request forgery, also mentioned in the link.

Database Security:

As for your concern about user input dropping your database, if you use Yii's standard Data Access Objects (like CActiveRecord) and MySql, the PDO bindings used to save data should prevent against 1st order SQL injection attacks.