We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

SQL Injection when using executeQuery

gkelly1981 May '14

Created May '14	Last Reply May '14	Replies 1	Views 936	Votes 0

gkelly1981 6.6k

May '14

$phql = "SELECT * FROM Robots WHERE id = :id:";
$robot = $app->modelsManager->executeQuery($phql, array(
            'id' => $id
        ))->getFirst();

Does Phalcon escape that var I am passing in? mysqli_real_escape_string does not work as it needs the link.

Gigih Aji Ibrahim
1.5k

Accepted
answer

May '14

That query is safe because phalcon use prepared statement.