findFirstById() <- should we use bind here?

Question

findFirstById() <- should we use bind here?

Al Jan '15

Created Jan '15	Last Reply Jan '15	Replies 5	Views 808	Votes 0

Al 20.4k

Jan '15

When using find() or findFirst() we use binding to prevent sql injections. Is this the same for findFirstById()? I tried using binding with it, but doesn't seem to work.

7thcubic · Answer 1 · 2015-01-24T10:49:47-07:00

findFirstById, i believe its the same as findFirst("id = smth").

to bind i believe its findFirst(["condition" => "id = ?1", "binds" = [1 => $id]]); or i think it is query->execute(["condition" => "id = ?1", "binds" = [1 => $id]]);

Steven · Answer 2 · 2015-01-24T12:58:34-07:00

al35mm, you could do it like this:

Users::findFirst([
    'conditions' => 'id = :id:',
    'bind' => [
        'id' => $id
    ],
    'bindTypes' => [
        'id' => \Phalcon\Db\Column::BIND_PARAM_INT
    ]
]);

bindTypes is used for a little extra security:

https://docs.phalcon.io/en/latest/reference/models.html#finding-records

"When binding parameters, you can use this parameter to define additional casting to the bound parameters increasing even more the security"

Al · Answer 3 · 2015-01-24T13:11:25-07:00

Thanks for the answers. OK so just to confirm, using findFirstBy<field>() e.g. findFirstById() is virtually unusable for security reasons, unless you are passing in an internally generated (safe) value that is not derived from a user inputted value? Thus for the most part you are better off using findFirst() with binding?

I thought that maybe findFirstBy<field>() would have automatic binding based on the field type.

Phalcon · Answer 4 · 2015-01-24T13:25:28-07:00

This:

Users::findFirstById($id);

is the same as:

Users::findFirst([
    'conditions' => 'id = :id:',
    'bind' => [
        'id' => $id
    ],
    'bindTypes' => [
        'id' => \Phalcon\Db\Column::BIND_PARAM_INT
    ]
]);

Steven · Answer 5 · 2015-01-24T13:36:14-07:00

Honestly, I wasn't confident enough to answer whether or not it is escaped by default.

So here is what I did. I changed one of my queries and ran the query profiler.

The result is as follows:

// Issue the request
$client = Clients::findFirstByPublicKey($key);

// The profile result
SELECT `clients`.`public_key`, `clients`.`private_key`, `clients`.`status`, `clients`.`type` FROM `clients` WHERE `clients`.`public_key` = :0 LIMIT 1

It looks like the framework does indeed use prepared statements when using findFirstBy<propertyName>().

Result: Using findFirstBy<propertyName>($value) IS SECURE

Edit:: Thanks Phalcon - Was running my query profiler when you responded. Thanks again!

Al · Answer 6 · 2015-01-24T14:00:20-07:00

Ak ok thanks Phalcon. That changes everything - findFirstById() is automatically bound. This should be added to the binding documentation!

Thanks also Steven.

7thcubic · Answer 7 · 2015-01-24T21:26:29-07:00

7thcubic
2.1k

Jan '15

documentation is REALLY out of date, we need to update it =d