Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
DB::query security(SQL injection)
  • hellosshelloss
    Hi, I am working on implementing the systems for authentication.

    I would like to ask about security of DB::query method.

    I have heard DB::query may not escape the sql statement. So that, I need to avoid executing it just as it is.

    Do you have any ideas to escape it?

    my code is:

    $data[] = array(
        'id' => $id,
        'desk' => $desk,
    );

    $query = \DB::insert('sample')
        ->columns(
            ['id''desk']);
            
    foreach ($data as $item) {
        $query->values(
            [
                $item['id'],
                $item['desk'],
        ]);
    }
    \DB::query($query->compile() . "ON DUPLICATE KEY UPDATE `desk` = VALUES(`desk`), `updated_at` = NOW()")->execute();
  • andersoncdzandersoncdz
    Hello, how are you?

    I advise you to use the fuel authentication package, everything you need is already implemented.



    I believe this will save you a lot of time.

    Hope this helps

    Merry Christmas :)
  • HarroHarro
    Any code that is generated is escaped properly.

    If you want to construct your own query, you can manually quote values using

    \DB::quote($value)

    and identifiers using

    \DB::quote_indentifier($identifier)


Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion