yiissy001
项目全局用的代码,比如项目所有controller和model的共通操作
- yiissy001 2015-06-18 已签到连续签到7天,获得了20个金钱
- yiissy001 2015-06-17 已签到连续签到6天,获得了20个金钱
访问地址
http://cms/frontend/web/index.php?r=admin/main&id=2%20or%201=1
代码如下
namespace frontend\controllers\admin; use yii; use yii\web\Controller; use backend\models\Nav; class MainController extends Controller { public function actionIndex() { var_dump(yii::$app->request->get()); $model = Nav::find(); $model->andWhere([ 'nav_id' => yii::$app->request->get('id') ]); echo $model->createCommand()->getSql(); echo "\n"; $data = $model->asArray()->all(); var_dump($data); } }
结果返回
array(2) { ["r"]=> string(10) "admin/main" ["id"]=> string(8) "2 or 1=1" } SELECT * FROM `mxq_nav` WHERE `nav_id`=:qp0 array(1) { [0]=> array(12) { ["nav_id"]=> string(1) "2" ["nav_pid"]=> string(1) "0" ["nav_type"]=> string(1) "1" ["nav_icon"]=> string(8) "nav-user" ["nav_sort"]=> string(1) "0" ["homePage"]=> string(0) "" ["collapsed"]=> string(1) "0" ["closeable"]=> string(1) "0" ["id"]=> string(4) "user" ["text"]=> string(6) "用户" ["href"]=> NULL ["status"]=> string(1) "1" } }
可以看到YII自动进行了SQL防注入,所以是安全的
不错,我在YII1里也试了一下,确实不会被注入了
- yiissy001 2015-06-16 已签到连续签到5天,获得了20个金钱
- yiissy001 赞了说说双休都玩去了,签到又忘记。。。悲催呀