This is an archived copy of the forum for reference purposes

SQL injections with Active Record?

posted by knutsune 8 years ago

Should I someway escape inputs when using only Active Record. I'm kinda hoping it takes care of all that.

For example, is this escaped and safe?
$bar->setTitle(fRequest::get('title'));

$bar->store();

$bar->populate();

$bar->store();

Just want to be sure. Thanks.

Yes, fActiveRecord and fRecordSet escape all values before executing SQL. Anything passed to ->set(), pulled in via ->populate() and any values passed to the $where_conditions parameter of fRecordSet::build() are all automatically escaped to prevent SQL injection.

The only thing to note it that the the expression (they array keys) used in the $order_bys parameter of fRecordSet::build() is not escaped since it allows arbitrary SQL expressions and not just values. You aren't gonna want to let users specify arbitrary order bys anyway, so the best solution is to create an array of valid options if you let the user affect the order.

posted by wbond 8 years ago