We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Phalcon\Mvc\Model\Criteria::inWhere and escaping values

I searched the documentation, but I have been unable to find an answer to the question: values inside are escaped against SQL Injection?



3.1k
Accepted
answer
edited Oct '14

Yes, they are. You can check for yourself by logging the SQL statements. Just add a logger that is triggered on the 'beforeQuery' event to see for yourself.

$di->set('db', function () use ($config) {
    $eventsManager = new EventsManager();

    $logger = new FileLogger(dirname(__DIR__)."/logs/debug.log");

    //Listen all the database events
    $eventsManager->attach('db', function($event, $connection) use ($logger) {
        if ($event->getType() == 'beforeQuery') {
            $logger->log($connection->getSQLStatement(), Logger::INFO);
        }
    });

    $connection = new DbAdapter(array(
        'host' => $config->database->host,
        'username' => $config->database->username,
        'password' => $config->database->password,
        'dbname' => $config->database->dbname,
        'charset' => 'utf8'
    ));

    $connection->setEventsManager($eventsManager);

    return $connection;
});