Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

Filtering and Sanitizing

Hi guys!

I was reading phalcon documentation, however I'm not sure about Filtering and Sanitizing.

Is it enough using "string" filter to prevent a sql injection attack?

Thanks in advance.

Why worry about sql injection when both ORM and QueryBuilder are using pdo prepared statements?

Binding Parameters with ORM

Query Builder - bullets list here.

You don't have worry about sql injection when use bound parameters.

edited Oct '16

Indeed, but application should offer basic filtering even w/o any database queries. What I usually do on my route parameters - apply custom sanitize filter (if I expect numeric input, that's what it will only pass this filter).

Golden rule should be always applied - never trust a user input.

Yea, i have model validaiton but this is basic stuff. Using filters sometimes too if need int really.