Added note on how to deal with filtering column names

37ec930f · Alexander Makarov · 57bca30e · 37ec930f
Commit 37ec930f authored Dec 17, 2014 by Alexander Makarov
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 1 deletion

security-best-practices.md docs/guide/security-best-practices.md +14 -1

No files found.
--- a/docs/guide/security-best-practices.md
+++ b/docs/guide/security-best-practices.md
@@ -77,7 +77,20 @@ $userIDs = $connection
    ->queryColumn();
 ```

-If data is used to specify column names or table names it should be escaped. Yii has special syntax for such escaping
+If data is used to specify column names or table names the best thing to do is to allow only predefined set of values:
+ 
+```php
+function actionList($orderBy = null)
+{
+    if (!in_array($orderBy, ['name', 'status'])) {
+        throw new BadRequestHttpException('Only name and status are allowed to order by.')
+    }
+    
+    // ...
+}
+```
+
+In case it's not possible, table and column names should be escaped. Yii has special syntax for such escaping
 which allows doing it the same way for all databases it supports:

 ```php