We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

SQL Injection in Resultset() call possible?

elchueko Mar '14

Created Mar '14	Last Reply Mar '14	Replies 1	Views 779	Votes -1

elchueko 8.9k

Mar '14

Hey guys,

I don't find any information about a SQL Injection when I call the Resulset() Method. For example:

    $sql = "SELECT * FROM video v WHERE v.id = '" .$id. ";

    // Base model
    $video = new video();

    // Execute the query
    return new Resultset(null, $video, $video->getReadConnection()->query($sql));

Does anybody know if the SQL Query will be escaped to avoid SQL Injections? Or do I have to do it in another way?

Thanks all!

Nikolay Kirsh
5.0k

Accepted
answer

Mar '14

https://docs.phalcon.io/en/latest/reference/phql.html#using-raw-sql

$sql = "SELECT * FROM video v WHERE v.id = ?";

// Base model
$video = new video();

// Execute the query
return new Resultset(null, $video, $video->getReadConnection()->query($sql,array($id)));