Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

SQL Injection in Resultset() call possible?

Hey guys,

I don't find any information about a SQL Injection when I call the Resulset() Method. For example:

    $sql = "SELECT * FROM video v WHERE v.id = '" .$id. ";

    // Base model
    $video = new video();

    // Execute the query
    return new Resultset(null, $video, $video->getReadConnection()->query($sql));

Does anybody know if the SQL Query will be escaped to avoid SQL Injections? Or do I have to do it in another way?

Thanks all!



4.1k
Accepted
answer

http://docs.phalconphp.com/en/latest/reference/phql.html#using-raw-sql

$sql = "SELECT * FROM video v WHERE v.id = ?";

// Base model
$video = new video();

// Execute the query
return new Resultset(null, $video, $video->getReadConnection()->query($sql,array($id)));