Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

ODM Sql Injection

Hi,

I have this code snippet I am using it to search if a certain tag exists, if not that i persist a new tag into the db. This work fine, however i am concern on whether this is protected as sql injection. It's not documented.

           $tagr = Tags::findFirst( array(
                    "conditions" => array(
                        "tagName" => $tags
                    )
                ) );

            if ( !$tagr ) {
                $tagObj = new Tags();
                $tagObj->tagName = $tags;
                $tagObj->save();
            }


3.0k

Test it, then you can be sure that it's protected or not. But I would say it is, when you use the following way:

$tagr = Tag::findFirst(array(
   'tagName = ?0',
   'bind' => array($tags)
));


33.7k
Accepted
answer

There is no SQL injection in the ODM as it does not use SQL.