We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

ODM Sql Injection

Hi,

I have this code snippet I am using it to search if a certain tag exists, if not that i persist a new tag into the db. This work fine, however i am concern on whether this is protected as sql injection. It's not documented.

           $tagr = Tags::findFirst( array(
                    "conditions" => array(
                        "tagName" => $tags
                    )
                ) );

            if ( !$tagr ) {
                $tagObj = new Tags();
                $tagObj->tagName = $tags;
                $tagObj->save();
            }


7.0k

Test it, then you can be sure that it's protected or not. But I would say it is, when you use the following way:

$tagr = Tag::findFirst(array(
   'tagName = ?0',
   'bind' => array($tags)
));


34.6k
Accepted
answer

There is no SQL injection in the ODM as it does not use SQL.