I searched the documentation, but I have been unable to find an answer to the question: values inside are escaped against SQL Injection?
Yes, they are. You can check for yourself by logging the SQL statements. Just add a logger that is triggered on the 'beforeQuery' event to see for yourself.
$di->set('db', function () use ($config) {
$eventsManager = new EventsManager();
$logger = new FileLogger(dirname(__DIR__)."/logs/debug.log");
//Listen all the database events
$eventsManager->attach('db', function($event, $connection) use ($logger) {
if ($event->getType() == 'beforeQuery') {
$logger->log($connection->getSQLStatement(), Logger::INFO);
}
});
$connection = new DbAdapter(array(
'host' => $config->database->host,
'username' => $config->database->username,
'password' => $config->database->password,
'dbname' => $config->database->dbname,
'charset' => 'utf8'
));
$connection->setEventsManager($eventsManager);
return $connection;
});