This forum has moved to a new location and is in read-only mode. Please visit talk.octobercms.com to access the new location.
Is the following way to write a query safe from XSS/injection? or does it treat the variable as simple string replacement? I'm not going to clean the strings before inputting them, so is this safe?
Db::select('SELECT l.slug FROM audio as t, music as l, song as c
where t.song_id = l.id
and c.id = l.band_id
and t.slug = ?
and c.id = ? ', [$value1, $value2]);
or should I just rewrite the whole thing as models using
model::where()
where ->()
join ->()
thanks
Last updated
From the Laravel docs
The Laravel query builder uses PDO parameter binding throughout to protect your application against SQL injection attacks. There is no need to clean strings being passed as bindings.
But if you want to be certain, try and inject something and see if it works :)
Last updated
1-2 of 2