Hi guys!
I was reading phalcon documentation, however I'm not sure about Filtering and Sanitizing.
Is it enough using "string" filter to prevent a sql injection attack?
Thanks in advance.
Why worry about sql injection when both ORM and QueryBuilder are using pdo prepared statements?
Query Builder - bullets list here.
You don't have worry about sql injection when use bound parameters.
Indeed, but application should offer basic filtering even w/o any database queries. What I usually do on my route parameters - apply custom sanitize filter (if I expect numeric input, that's what it will only pass this filter).
Golden rule should be always applied - never trust a user input.
Yea, i have model validaiton but this is basic stuff. Using filters sometimes too if need int really.