We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

SQL Injection when using executeQuery

$phql = "SELECT * FROM Robots WHERE id = :id:";
$robot = $app->modelsManager->executeQuery($phql, array(
            'id' => $id
        ))->getFirst();

Does Phalcon escape that var I am passing in? mysqli_real_escape_string does not work as it needs the link.



1.5k
Accepted
answer

That query is safe because phalcon use prepared statement.