Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

SQL Injection when using executeQuery

$phql = "SELECT * FROM Robots WHERE id = :id:";
$robot = $app->modelsManager->executeQuery($phql, array(
            'id' => $id

Does Phalcon escape that var I am passing in? mysqli_real_escape_string does not work as it needs the link.


That query is safe because phalcon use prepared statement.