Hi guys!
I was reading phalcon documentation, however I'm not sure about Filtering and Sanitizing.
Is it enough using "string" filter to prevent a sql injection attack?
Thanks in advance.
Solved thread
This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.
Why worry about sql injection when both ORM and QueryBuilder are using pdo prepared statements?
Query Builder - bullets list here.
You don't have worry about sql injection when use bound parameters.
Indeed, but application should offer basic filtering even w/o any database queries. What I usually do on my route parameters - apply custom sanitize filter (if I expect numeric input, that's what it will only pass this filter).
Golden rule should be always applied - never trust a user input.
Yea, i have model validaiton but this is basic stuff. Using filters sometimes too if need int really.
Log In to Comment