Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

ORM and SQL Injection

Hello. Did ORM prevent from SQL Injection? If I have a model like:

<?php namespace Republika\Models; use Phalcon\Db\RawValue;

class Colors extends \Phalcon\Mvc\Model { /*

  • @var integer */ public $id;


  • @var string */ public $text; }?>

,it is safe to enter values to this model without checking it?

$text = $request->getPost("color");

$color = new Colors(); $color->text = $text; $color->save();

Wheter Phalcon secure model Colors from SQL injection? What will happen if I type x' OR 1=1; drop table .... ?

edited Aug '17

It uses parameter binding so nothing will happen, it will just save value as x' OR 1=1;

You just need to remember for example not do something like:

$colors = Colors::find("color = $color");

In such example you will have SQL Injection. You need to use parameter binding in such case.

edited Aug '17

exploits of a mom


The image tag isn't parsed properly because underscores are url encoded in links!