I couldn’t find a clear answer in the docs, so I thought I’d ask here. Do Kirby’s SQL methods require any pre-sanitization beforehand to protect against SQL injection, or do they take already care of this behind the scenes?
The Kirby DB classes use prepared statements with the PDO class, so yes, that should be safe against SQL injections as long as you don’t manually concatenate SQL strings from user data. The documented standard methods don’t do that however.
Makes sense. Thanks for clearing that up!