Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

Binding Parameters

This may be a little bit of a noob question but here goes.

I am assuming that Phalcon BINDS parameters automatically when data is sent to the database BUT the confusing thing is that in many places in the documentation we are advised to bind parameters.

so my code starts looking like

$device->assign(array(
                'type' => $this->filter->sanitize($userData['DeviceType'],"string"),
                'devID' => $this->filter->sanitize($id,"alphanum"),
                'status' => $this->filter->sanitize($userData['Status'],"int"),
                'assigned' => 0,
                'devCreated' => $verify->isNow() ,
                ));

$device->save();

I feel as though this is ineffecient code because it is double work as phalcon will BIND the variable going in in any case.

The reason I want to do this is to prevent errors when the data comes OUT of the data base as I am not sure if Phalcon does anything to the data on read.

I also feel this is inffecient because I know that the database layer should be able to do this saving me having to run filter on everything.

any advice would be much appreciated.

Filter != bind, bind avoids SQL injection attacks, and filter avoids save unexpected data in the database system.

Thanks for the quick response!

So this is the issue.

If I BIND going into the data base, will it ensure that on read FROM the database. I read in one of the forums (link not available) that additional protection is recommended so that when data is pulled from the database there are not security concerns.

so:

  1. Does phalcon already prepare the SQL statements to prevent MySQL injection (I think this is yes)
  2. Do I need to manually bind the parameters to the query?
  3. Is there any value in filtering values before then passing them as parameters to the query.

Sorry if this questions is unclear. Just want to make sure I understand what is goin on in the guts of PHALCON.



33.6k
Accepted
answer

Answers to your questions:

Does phalcon already prepare the SQL statements to prevent MySQL injection (I think this is yes)

Yes

Do I need to manually bind the parameters to the query?

Yes, except if you are using finders, ie. Robots::findByName("Ultron")

Is there any value in filtering values before then passing them as parameters to the query.

The value is that you're not going to store garbage in the database. ie. unexpected or unwanted characters