We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

How to protect from XSS/SQL attacks with Phalcon?

How to protect from XSS/SQL attacks with Phalcon? Could you please give some examples?

For example, with the action show of the controller ofArticles, I want to display an article: https://www.a.com/articles/show/1:

class ArticlesController extends Controller
{
    public function showAction($id)
    {
        $art = Articles::findFirstById($id);
        ....
    }
}

Is it necessary to filter the param $id? or Phalcon just has filtered for us?

Could you please give some more examples?



1.2k

you should use binding option to prevent sql injection attacks . see more @ : https://docs.phalcon.io/en/3.2/db-models#binding-parameters



31.3k
edited Aug '17

Is it not a binding methodology ??

$art = Articles::findFirstById($id);

And I want to know how to filter the URL param $id

you should use binding option to prevent sql injection attacks . see more @ : https://docs.phalcon.io/en/3.2/db-models#binding-parameters



145.0k
Accepted
answer

This is totally safe to do it. Phalcon will use binding for $id paramter so there won't be any problem.

In addition to Wojciech answer, if you need more complex queries you should always bind parameters like Xaero suggested.

Models:

$robots = Robots::find(
    [
        'name = :name: AND type = :type:',
        'bind' => [
            'name' => 'Robotina',
            'type' => 'maid',
        ],
    ]
);

Query Builder:

->where('name = :name:', ['name' => $name])


31.3k

Thanks!

In addition to Wojciech answer, if you need more complex queries you should always bind parameters like Xaero suggested.

Models:

$robots = Robots::find(
   [
       'name = :name: AND type = :type:',
       'bind' => [
           'name' => 'Robotina',
           'type' => 'maid',
       ],
   ]
);

Query Builder:

->where('name = :name:', ['name' => $name])