04-20-2012, 10:44 AM
[eluser]skunkbad[/eluser]
Chances are that you would be safe, but there's more to consider based on if $plan gets inserted into the HTML in the view. If $plan is a integer, typecast it as (int). If $plan is one of a series of strings, you could easily check that the value exists in an array using PHP's in_array() function. Active Record is good, so chances are you're not going to have any SQL injection, but like I said, if the value of $plan is going to be used in the HTML, that's where you need to make sure its properly filtered.
Chances are that you would be safe, but there's more to consider based on if $plan gets inserted into the HTML in the view. If $plan is a integer, typecast it as (int). If $plan is one of a series of strings, you could easily check that the value exists in an array using PHP's in_array() function. Active Record is good, so chances are you're not going to have any SQL injection, but like I said, if the value of $plan is going to be used in the HTML, that's where you need to make sure its properly filtered.
