Fluent is safe, right?

Asked

Viewed 66 times

2

Someone who’s already used the Fluent, Can you tell me if he’s safe with SQL Injects? All right that it uses PDO, but suddenly it does not treat the data before it is sent to the database.

And if it’s safe, I intend to study it to develop my own model using PDO.

1 answer

2


It depends on how it is used. Looking at the examples on the linked page, we have:

syntax                           description
$table->where("field", "x")      Translated to field = 'x'
$table->where("field > ?", "x")  bound by PDO

As you can see, the first case simply puts the value used in the query, without any further processing. If you use a type value:

$table->where("field", "Robert'); DROP TABLE Students;--")

Then it will be placed in the query, and you will receive an SQL Injection. However, if you use the second form:

$table->where("field = ?", "Robert'); DROP TABLE Students;--")

Then the ' value will be "escaped", and your system will be safe.

In summary, using Fluentpdo will not automatically make your system secure or insecure, it is necessary to take each API call into consideration, case by case, when determining the security of the application.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.