How to use form.render() and disable the form handle

From controller:

 public function viewAction($id,$report_id){
    $report = SaeReport::findFirst('id = '.$report_id);
    $form = new SAEReportForm($report,array('id'=>$id));
    $this->view->form = $form;

in the view.volt, when I call form.render() is there a way at runtime to specify that I want the form element to be disabled, IE not changeable? I've tried


but that doesn't work...


form.render only renders elements. You have to write the form using a form helper:

BTW: This makes your application vulnerable to SQL injections:

$report = SaeReport::findFirst('id = '.$report_id);

It must be changed to:

$report = SaeReport::findFirstById($report_id);

edited Oct '14

Would it also be acceptable to do

$report = SaeReport::findFirst('id = '.$this->request->getPost('id','int'));


edited Oct '14

$this->request->getPost('id','int') would sanitize the input to allow integer digits numbers/characters, note that depending on the input this might not produce valid integers:

$f = new Phalcon\Filter;
echo $f->sanitize('ksld091209j210jdkd1-dksl;dks-dq.d.d.dkdkdskd022020101010101101ekkdkdd', 'int');



Which means:

$report = SaeReport::findFirst('id = 0912092101--022020101010101101');

This would return any unexpected record and it's also not PHQL friendly:


OK so then how would I accomplish something like this:

$report = SaeReport::findFirst('param1 = '.$param1.' AND param2 = '.$param2');

While still properly handling SQL injections?

edited Oct '14

Using bound parameters:

$report = SaeReport::findFirst(['param1 = ?0 AND param2 = ?1', 'bind' => [$param1, $param2]]);


OK so that solves my SQL injection, but what you are telling me is that there is no way to render a form element so that its contents cannot be edited?