is it safe to use direct url params in a finder based on a route?
I'm using
base/str:<slug>
to form the url in the routes page to determine the list page vs a detail page for one base category
If someone were to type in a bad slug, it seems to be responding correctly with a 404 due to my condition, but this is after the finder already could have been injected.
Does the finder structure keep it safe, or should i try to regex/whitelist expected values/lengths/etc.
I'm using
base/str:<slug>
to form the url in the routes page to determine the list page vs a detail page for one base category
Code:
$repo = $this->repository('My\Repo');
$finder = $repo->findMyStuff();
if(isset($params['slug']))
{
$finder->where('myfield', $params['slug']);
}
$viewParams = [
'myrow' => $finder->fetchOne(),
]
if (!$viewParams['myrow'])
{
throw $this->exception($this->notFound('Item Not Found'));
}
return $this->view('My\View', 'my_template',$viewParams)If someone were to type in a bad slug, it seems to be responding correctly with a 404 due to my condition, but this is after the finder already could have been injected.
Does the finder structure keep it safe, or should i try to regex/whitelist expected values/lengths/etc.
