-1

Considering the example below, does PHP activerecord prevent SQL injection on basic create? I can find numerous examples and instructions on the finders, but nothing on the safety of what I do here.

    $p = new Person();
    $p->firstname = $_POST["firstname"];
    $p->emailaddress = $email_enc; (encoded from $_POST["email"])
    $p->save();

EDIT: I'm not asking about preventing "ordinary" PHP SQL injection. This question is specific for PHP activerecord basic CRUD actions

Jos
  • 1,387
  • 1
  • 13
  • 27
  • 1
    That depends on how you are passing values to the DB. Are you using PDO and prepared statements? – vascowhite Oct 05 '15 at 20:25
  • Not a dupe, this is specific PHP activerecord framework question(http://www.phpactiverecord.org/). Thus not using PDO directly, I don't know what activerecord uses under the hood – Jos Oct 05 '15 at 20:41
  • Sorry, I've never come across that framework before, I thought you were referring to the pattern. You could check their code and see what they're doing. – vascowhite Oct 05 '15 at 20:44
  • 1
    However, I still think this is a dupe as comparing the [source code](https://github.com/jpfuentes2/php-activerecord/blob/master/lib/Connection.php) to the answers in the linked question would give you your answer, as Chris has indicated in his answer below. – vascowhite Oct 05 '15 at 20:49
  • Fair enough. Thanks! – Jos Oct 05 '15 at 20:54

1 Answers1

2

From this source code, phpactiverecord uses PDO to connect to the database. Based on the top answer to this question, you are protected from 1st order SQL injections.

Community
  • 1
  • 1
Chris
  • 292
  • 2
  • 11