How to solve SQL injections


I am using Phalcon but not the ORM. I am sending my own queries to the database.

Few days ago I realized that when I call $this->get("name") from any controller, the String passed by the user is not sanitized, so I am potentially sending dangerous SQL code straight to the database.

My projetc is around a milling lines of code now and I cannot go though every single get() and add the second parameter. I need a way to overwrite the get() method from the bootstrap and sanitize all responses at once.

I have been trying this for few days without luck. Can you guys point me on the right direction, or help with a better solution?

Thank you!

Thanks for your response. I am actually using the Phalcon framework to contact the DB, just not the ORM. In instance, I am using the following code to run a query:

$sql = "SELECT blah FROM blah"; $this->di->get('db')->query($sql);

The good part, this code is centralized inside a function that I call thouth all the system. Maybe I can sanitize here... Any ideas how?

hello, you can use PDO or something like this

edited May '17

try to adapt something like this

$resultset = $connection->query(
    "SELECT * FROM robots WHERE type = ?",
$statement = $db->prepare(
    "SELECT * FROM robots WHERE name = :name"

$result = $connection->executePrepared(
        "name" => "Voltron",
        "name" => Column::BIND_PARAM_INT,
edited May '17

Use binding.

Why not use ORM? You can build your own queries in phql too, and having oop is much nicer and cleaner.