We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

SQL Injection in Resultset() call possible?

Hey guys,

I don't find any information about a SQL Injection when I call the Resulset() Method. For example:

    $sql = "SELECT * FROM video v WHERE v.id = '" .$id. ";

    // Base model
    $video = new video();

    // Execute the query
    return new Resultset(null, $video, $video->getReadConnection()->query($sql));

Does anybody know if the SQL Query will be escaped to avoid SQL Injections? Or do I have to do it in another way?

Thanks all!



5.0k
Accepted
answer

http://docs.phalcon.io/en/latest/reference/phql.html#using-raw-sql

$sql = "SELECT * FROM video v WHERE v.id = ?";

// Base model
$video = new video();

// Execute the query
return new Resultset(null, $video, $video->getReadConnection()->query($sql,array($id)));