Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

ODM Sql Injection


I have this code snippet I am using it to search if a certain tag exists, if not that i persist a new tag into the db. This work fine, however i am concern on whether this is protected as sql injection. It's not documented.

           $tagr = Tags::findFirst( array(
                    "conditions" => array(
                        "tagName" => $tags
                ) );

            if ( !$tagr ) {
                $tagObj = new Tags();
                $tagObj->tagName = $tags;


Test it, then you can be sure that it's protected or not. But I would say it is, when you use the following way:

$tagr = Tag::findFirst(array(
   'tagName = ?0',
   'bind' => array($tags)


There is no SQL injection in the ODM as it does not use SQL.