Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

Phalcon\Mvc\Model\Criteria::inWhere and escaping values

I searched the documentation, but I have been unable to find an answer to the question: values inside are escaped against SQL Injection?

edited Oct '14

Yes, they are. You can check for yourself by logging the SQL statements. Just add a logger that is triggered on the 'beforeQuery' event to see for yourself.

$di->set('db', function () use ($config) {
    $eventsManager = new EventsManager();

    $logger = new FileLogger(dirname(__DIR__)."/logs/debug.log");

    //Listen all the database events
    $eventsManager->attach('db', function($event, $connection) use ($logger) {
        if ($event->getType() == 'beforeQuery') {
            $logger->log($connection->getSQLStatement(), Logger::INFO);

    $connection = new DbAdapter(array(
        'host' => $config->database->host,
        'username' => $config->database->username,
        'password' => $config->database->password,
        'dbname' => $config->database->dbname,
        'charset' => 'utf8'


    return $connection;