I have table urlTable
contain url like this:
id url
1 abc.com/zyx.html
2 abc.com/xyz123.html
To find one of them, i use the RawSQL:
$url = 'abc.com/zyx.html';
$sql = "SELECT id FROM urlTable WHERE url = ':url'";
$result = \Phalcon\DI::getDefault()->getDb()->fetchAll($sql, \Phalcon\Db::FETCH_ASSOC, ['url' => $url]);
But result is empty. SQL log is:
SELECT id FROM urlTable WHERE url = ':url' [{"url":"abc.com\/zyx.html"}]
So, phalcon has escaped the /
character to \/
.
I have what I need when I use:
$url = 'abc.com/zyx.html';
$sql = "SELECT id FROM urlTable WHERE url = '$url'";
$result = \Phalcon\DI::getDefault()->getDb()->fetchAll($sql, \Phalcon\Db::FETCH_ASSOC);
SQL log is:
SELECT id FROM urlTable WHERE url = 'abc.com\/zyx.html'
What is wrong when I use the first way to avoid SQL injection?