Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Can we discuss the different ways of fetching models and the security implications for each
  • bperinbperin
    I'm using the PDO driver, I assumed parameter binding was going on behind the scenes but as I tried to follow the code it doesn't look like it does. Or am i wrong? What methods have you used to prevent sql injection and xss scripting? I'm trying to follow the logic of what is going on when I made a request like
    $user = Model_Profile::find()->where('user_id', $id)->get_one();

    but I get lost pretty fast. Whats the difference between the previous code and
    $user = Model_Profile::query()->where('user_id', $id)->get_one();
  • HarroHarro
    If you don't pass any parameters to find(), it is identical to query(). find() is basically a shortcut method, that allow you to quickly create common query's in an ORM context, like get the first, the last or all records. Model::find('first') is easier than Model::query()->order_by('id, 'ASC')->get_one(); It also works no matter what your primary key construction is, if you manually code your query, the order_by has to contain all key columns. In your example, I would use Model::find($id); though, must quicker... ;)
  • bperinbperin
    Hmm, ok that clears some things up, but extending on my question about how inputs are handled before they're put in the database lets take for example this block of code that views a users profile
     public function action_view($id = null) {

        $data = null;
        
        if (!$id) {
            Session::set_flash('error', 'user not found');
            Response::redirect('error');
            return false;
        }
        
        
        $check = Model_User::find($id);
        
        if (!$check) {

            Session::set_flash('error', 'user not found');
            Response::redirect('/error');
            return false;
        }
       
        //real user do whatever 
}

    Now right now I have 2 users in the database with id's 1 and 2. if i go to, this passes that makes sense 
    /users/view/1

    passes, also makes sense 
    /users/view/2

    but this some how grabbing the same user model as the first example, which is fine but I just dont get how. 
    /users/view/1somerandomstring
    so because the database field is an integer is it automatically going to just take an integer? I guess what i'm asking is where does this happen, and can I safely assume that if the wrong data types are presented to a model are they just ignored? Before I would do some sort of variable filter like
    if(filter_var($id,FILTER_VALIDATE_INT) == false) {
    header("Location: /error.php?error=23");
    exit;
}
  • HarroHarro
    The database classes, and that includes the ORM, don't check anything, they pass whatever you provide on to the database in the query, they only escape the value. With the ORM, you can use an observer to implement type checking. A typing observer is included in the package. More functional checks you'll have to do either in your controller (in case you use the standard model or database API) or in your model methods (in case you use custom methods).
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion