Yes, fActiveRecord and fRecordSet escape all values before executing SQL. Anything passed to ->set()
, pulled in via ->populate()
and any values passed to the $where_conditions
parameter of fRecordSet::build() are all automatically escaped to prevent SQL injection.
The only thing to note it that the the expression (they array keys) used in the $order_bys
parameter of fRecordSet::build() is not escaped since it allows arbitrary SQL expressions and not just values. You aren't gonna want to let users specify arbitrary order bys anyway, so the best solution is to create an array of valid options if you let the user affect the order.