We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

ORM and SQL Injection

Hello. Did ORM prevent from SQL Injection? If I have a model like:

<?php namespace Republika\Models; use Phalcon\Db\RawValue;

class Colors extends \Phalcon\Mvc\Model { /*

  • @var integer */ public $id;

    /**

  • @var string */ public $text; }?>

,it is safe to enter values to this model without checking it?

$text = $request->getPost("color");

$color = new Colors(); $color->text = $text; $color->save();

Wheter Phalcon secure model Colors from SQL injection? What will happen if I type x' OR 1=1; drop table .... ?



145.0k
Accepted
answer
edited Aug '17

It uses parameter binding so nothing will happen, it will just save value as x' OR 1=1;

You just need to remember for example not do something like:

$colors = Colors::find("color = $color");

In such example you will have SQL Injection. You need to use parameter binding in such case.

edited Aug '17

exploits of a mom

relevant

The image tag isn't parsed properly because underscores are url encoded in links!