We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

What does "Disallow literals in PHQL" mean?

What does "Disallow literals in PHQL" mean? I wrote like $artist = Artists::findFirst("name = '$name'"); in many places in my project, but it seems run normally using 1.2.0 without exception. If this would cause an exception, is there a way to disable this feature so that codes written prior to 1.2.0 still compatible? I've read https://docs.phalcon.io/en/latest/reference/phql.html#disabling-literals. and there is no explanation about how to enable/disable this option

Corrrect me if i'm wrong, but see by example :

With literal :

 SELECT * FROM tree WHERE name="lemontree";

or again :

 SELECT * FROM tree WHERE name="<?=$somethings?>"; 

As you see literal is sensible to sql injection.

Now the same without litteral, but with bound params :

 SELECT * FROM tree WHERE name=:name;

then you a bind method that will secure sql injection by replacing :name by your literal value with backsleshes if needed quote, etc...

Literals are strings, number .... It means that disabeling literal disallow you to use them directly in your query and you have to use bound params instead More informations here : https://devzone.advantagedatabase.com/dz/webhelp/advantage8.1/supported_statements/sql_literals.htm



98.9k

You can disallow literals in the following way:

Phalcon\Mvc\Model::setup(array('phqlLiterals' => false));

Disallow literals is not enabled by default since it can break several applications.