Do I need to take care of the security

in a position to filter the variables?

$robot = new Robots(); $robot->type = "mechanical"; $robot->name = "Astro Boy"; $robot->year = 1952;

//This record only must be created if ($robot->create() == false) { echo "Umh, We can't store robots right now: \n"; foreach ($robot->getMessages() as $message) { echo $message, "\n"; } } else { echo "Great, a new robot was created successfully!"; }


mysql_real_escape_string ?


No, you don't need to escape values manually, Phalcon uses bound parameters to prevent SQL injections:



How do I handle this situation without mysqli_escape_string:

        // Base model
    $client = new Client();

    // A raw SQL statement
    $sql = "select * from Client where ID not in (select ClientID from CompanyRouteNumber) and CompanyID = " . $param[0] . " and Address1 = '" .    mysqli_escape_string($client->getReadConnection(), $param[1]) . "'";

    // Execute the query
    $clients = new Resultset(null, $client, $client->getReadConnection()->query($sql));

I try, to bound parameters, but I failed.

Thank you.