Complex sql queries without SQL injections

This is a fully working SQL query.

INSERT INTO products
	(id, company, title)
	id = VALUES(id),
	company = VALUES(company),
	title = VALUES(title)

When just dumping it in like this is probably very insecure.

  1. Is it possible to do this without db::query?
  2. Should I add the values as the second or third argument? The docs says bindings as second argument and params as third argument. I could not find an example of it.

I guess this one is for you @lukasbestle.

That should be something like this:

$result = db::table('products')->insert([
  ['id' => '1', 'company' => 'company1', 'title' => 'title1'],
  // ...

Not completely related - but if you are starting to use complex mysql for projects, and feel like going to something that is outside of kirby - I reccomend the Illuminate Database - its probably (definitely heavier) but I haven’t found anything it can’t do well so far… and it has good documentation

1 Like