Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

How to protect from XSS/SQL attacks with Phalcon?

How to protect from XSS/SQL attacks with Phalcon? Could you please give some examples?

For example, with the action show of the controller ofArticles, I want to display an article: http://www.a.com/articles/show/1:

class ArticlesController extends Controller
{
    public function showAction($id)
    {
        $art = Articles::findFirstById($id);
        ....
    }
}

Is it necessary to filter the param $id? or Phalcon just has filtered for us?

Could you please give some more examples?



152

you should use binding option to prevent sql injection attacks . see more @ : https://docs.phalconphp.com/en/3.2/db-models#binding-parameters



9.4k
edited Aug '17

Is it not a binding methodology ??

$art = Articles::findFirstById($id);

And I want to know how to filter the URL param $id

you should use binding option to prevent sql injection attacks . see more @ : https://docs.phalconphp.com/en/3.2/db-models#binding-parameters



107.4k
Accepted
answer

This is totally safe to do it. Phalcon will use binding for $id paramter so there won't be any problem.

In addition to Wojciech answer, if you need more complex queries you should always bind parameters like Xaero suggested.

Models:

$robots = Robots::find(
    [
        'name = :name: AND type = :type:',
        'bind' => [
            'name' => 'Robotina',
            'type' => 'maid',
        ],
    ]
);

Query Builder:

->where('name = :name:', ['name' => $name])


9.4k

Thanks!

In addition to Wojciech answer, if you need more complex queries you should always bind parameters like Xaero suggested.

Models:

```php $robots = Robots::find( [ 'name = :name: AND type = :type:', 'bind' => [ 'name' => 'Robotina', 'type' => 'maid', ], ] ); ```

Query Builder:

```php ->where('name = :name:', ['name' => $name]) ```