Do I need to take care of the security

in a position to filter the variables?

$robot = new Robots(); $robot->type = "mechanical"; $robot->name = "Astro Boy"; $robot->year = 1952;

//This record only must be created if ($robot->create() == false) { echo "Umh, We can't store robots right now: \n"; foreach ($robot->getMessages() as $message) { echo $message, "\n"; } } else { echo "Great, a new robot was created successfully!"; }



8.0k

mysqlrealescape_string ?



85.0k

No, you don't need to escape values manually, Phalcon uses bound parameters to prevent SQL injections:

http://docs.phalconphp.com/en/latest/reference/models.html#avoiding-sql-injections



19.0k

Hi,

How do I handle this situation without mysqliescapestring:

        // Base model
    $client = new Client();

    // A raw SQL statement
    $sql = "select * from Client where ID not in (select ClientID from CompanyRouteNumber) and CompanyID = " . $param[0] . " and Address1 = '" .    mysqli_escape_string($client->getReadConnection(), $param[1]) . "'";

    // Execute the query
    $clients = new Resultset(null, $client, $client->getReadConnection()->query($sql));

I try, to bound parameters, but I failed.

Thank you.