What does "Disallow literals in PHQL" mean?

Question

What does "Disallow literals in PHQL" mean?

jeffreycahyono Jul '13

Created Jul '13	Last Reply Jul '13	Replies 2	Views 688	Votes 0

jeffreycahyono 27.7k

Jul '13

What does "Disallow literals in PHQL" mean? I wrote like $artist = Artists::findFirst("name = '$name'"); in many places in my project, but it seems run normally using 1.2.0 without exception. If this would cause an exception, is there a way to disable this feature so that codes written prior to 1.2.0 still compatible? I've read https://docs.phalcon.io/en/latest/reference/phql.html#disabling-literals. and there is no explanation about how to enable/disable this option

Soufiane Ghzal · Answer 1 · 2013-07-10T05:04:34-07:00

Corrrect me if i'm wrong, but see by example :

With literal :

 SELECT * FROM tree WHERE name="lemontree";

or again :

 SELECT * FROM tree WHERE name="<?=$somethings?>";

As you see literal is sensible to sql injection.

Now the same without litteral, but with bound params :

 SELECT * FROM tree WHERE name=:name;

then you a bind method that will secure sql injection by replacing :name by your literal value with backsleshes if needed quote, etc...

Literals are strings, number .... It means that disabeling literal disallow you to use them directly in your query and you have to use bound params instead More informations here : https://devzone.advantagedatabase.com/dz/webhelp/advantage8.1/supported_statements/sql_literals.htm

Phalcon · Answer 2 · 2013-07-10T08:10:24-07:00

You can disallow literals in the following way:

Phalcon\Mvc\Model::setup(array('phqlLiterals' => false));

Disallow literals is not enabled by default since it can break several applications.