Validating a filter
Based on this, two different approaches to how data should be managed exists: tend to prefer Whitelists, because Blacklists may accidentally treat bad data as safe. But if implemented poorly, it can lead to a denial-of-service attack in which the attacker floods the system with unexpected input, forcing the system to expend scarce processing and communication resources on rejecting it. These languages throw compile time or run time exceptions whenever a variable derived from user input is used in a risky way, e.g. A strategy that is usually insufficient is to filter out known bads.
However, in some cases a whitelist solution may not be easily implemented. If the characters in the set [:;.-/] are known to be bad, but ; ls -l / is received, the original input is replaced with ls l (;-/ are thrown away).
Any other characters could be possibly interpreted in an unexpected manner, and are therefore replaced with the appropriate "encoded" representation.
Given a model populated with user inputs, you can validate the inputs by calling the yii\base\Model::validate() method.
The method will return a boolean value indicating whether the validation succeeded or not.
Whether this is a problem depends on your scenario.
As a rule of thumb, you should never trust the data received from end users and should always validate it before putting it to good use.