XSS / injection question in regard to SQL syntax

This forum has moved to a new location and is in read-only mode. Please visit talk.octobercms.com to access the new location.

kdoon80

9 years ago

Is the following way to write a query safe from XSS/injection? or does it treat the variable as simple string replacement? I'm not going to clean the strings before inputting them, so is this safe?

Db::select('SELECT l.slug FROM audio as t, music as l, song as c 
                    where t.song_id = l.id 
                    and c.id = l.band_id
                    and t.slug = ?
                    and c.id = ? ', [$value1, $value2]);

or should I just rewrite the whole thing as models using

model::where()
where ->() 
join ->()

thanks

Last updated 9 years ago

Scott

9 years ago

From the Laravel docs

The Laravel query builder uses PDO parameter binding throughout to protect your application against SQL injection attacks. There is no need to clean strings being passed as bindings.

But if you want to be certain, try and inject something and see if it works :)

Last updated 9 years ago

1-2 of 2

You cannot edit posts or make replies: the forum has moved to talk.octobercms.com.

Latest from the blog

User Plugin Updated - Now with Laravel Authentication

We're pleased to announce a major upgrade to the User plugin, your go-to solution for front-end user management in October CMS. Read on to discover the new functionalities and improvements we've packed into this release!

Continue reading →