How to protect from XSS/SQL attacks with Phalcon? Could you please give some examples?
For example, with the action show of the controller ofArticles, I want to display an article:
https://www.a.com/articles/show/1:
class ArticlesController extends Controller
{
public function showAction($id)
{
$art = Articles::findFirstById($id);
....
}
}Is it necessary to filter the param $id? or Phalcon just has filtered for us?
Could you please give some more examples?
you should use binding option to prevent sql injection attacks . see more @ : https://docs.phalcon.io/en/3.2/db-models#binding-parameters
Is it not a binding methodology ??
$art = Articles::findFirstById($id);And I want to know how to filter the URL param $id
you should use binding option to prevent sql injection attacks . see more @ : https://docs.phalcon.io/en/3.2/db-models#binding-parameters
This is totally safe to do it. Phalcon will use binding for $id paramter so there won't be any problem.
In addition to Wojciech answer, if you need more complex queries you should always bind parameters like Xaero suggested.
Models:
$robots = Robots::find(
[
'name = :name: AND type = :type:',
'bind' => [
'name' => 'Robotina',
'type' => 'maid',
],
]
);Query Builder:
->where('name = :name:', ['name' => $name])Thanks!
In addition to Wojciech answer, if you need more complex queries you should always bind parameters like Xaero suggested.
Models:
$robots = Robots::find( [ 'name = :name: AND type = :type:', 'bind' => [ 'name' => 'Robotina', 'type' => 'maid', ], ] );Query Builder:
->where('name = :name:', ['name' => $name])