There is a SearchModel , there is a query $query = Table::find(); Data comes from the frontend in the $name variable and it needs to be added to the request.

 if($this->name) { $query->andWhere("MATCH(name) AGAINST (:query IN BOOLEAN MODE)", [':query' => str_replace(' ', '*', trim($this->name)) . '*']); }

As I understand it, this format is not correct, it may be a "hole" in security.

How to safely insert variables with data in the query?

  • 2
    is a safe way - madfan41k
  • If you enter @, then the system "falls" - Fitstd
  • one
    it falls because your request itself is clumsy - madfan41k
  • one
    addslashes ($ name) - backslashes added escaped. Well, there will be problems if you add a single quote ' - user3841429

0