We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

SQL Injection in Resultset() call possible?

Hey guys,

I don't find any information about a SQL Injection when I call the Resulset() Method. For example:

    $sql = "SELECT * FROM video v WHERE v.id = '" .$id. ";

    // Base model
    $video = new video();

    // Execute the query
    return new Resultset(null, $video, $video->getReadConnection()->query($sql));

Does anybody know if the SQL Query will be escaped to avoid SQL Injections? Or do I have to do it in another way?

Thanks all!



5.0k
Accepted
answer

https://docs.phalcon.io/en/latest/reference/phql.html#using-raw-sql

$sql = "SELECT * FROM video v WHERE v.id = ?";

// Base model
$video = new video();

// Execute the query
return new Resultset(null, $video, $video->getReadConnection()->query($sql,array($id)));