Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

SQL Injection when using executeQuery

$phql = "SELECT * FROM Robots WHERE id = :id:";
$robot = $app->modelsManager->executeQuery($phql, array(
            'id' => $id
        ))->getFirst();

Does Phalcon escape that var I am passing in? mysqlirealescape_string does not work as it needs the link.



921
Accepted
answer

That query is safe because phalcon use prepared statement.