ODM Sql Injection

Question

ODM Sql Injection

Derek Jul '15

Created Jul '15	Last Reply Jul '15	Replies 2	Views 423	Votes 0

Derek 27.8k

Jul '15

Hi,

I have this code snippet I am using it to search if a certain tag exists, if not that i persist a new tag into the db. This work fine, however i am concern on whether this is protected as sql injection. It's not documented.

           $tagr = Tags::findFirst( array(
                    "conditions" => array(
                        "tagName" => $tags
                    )
                ) );

            if ( !$tagr ) {
                $tagObj = new Tags();
                $tagObj->tagName = $tags;
                $tagObj->save();
            }

Andres Gutierrez
34.6k

Accepted
answer

Jul '15

There is no SQL injection in the ODM as it does not use SQL.

Tommy · Answer 1 · 2015-07-29T02:27:13-07:00

Test it, then you can be sure that it's protected or not. But I would say it is, when you use the following way:

$tagr = Tag::findFirst(array(
   'tagName = ?0',
   'bind' => array($tags)
));