We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

PHQL Model::findFirstByX($x) SQL Injection

Hello I'd just like a confirmation on that if when I use Model::findFirstByEmail($email) for example, that the statement is somehow (binding) protected against SQL injection from $email or should I use something else.

yes, phalcon binds param internally.

you can see it here in zephir: https://github.com/phalcon/cphalcon/blob/2.0.0/phalcon/mvc/model.zep lines start 4091 to 4097