Do Kirby's MySQL methods protect against injection attacks?

I couldn’t find a clear answer in the docs, so I thought I’d ask here. Do Kirby’s SQL methods require any pre-sanitization beforehand to protect against SQL injection, or do they take already care of this behind the scenes?

The Kirby DB classes use prepared statements with the PDO class, so yes, that should be safe against SQL injections as long as you don’t manually concatenate SQL strings from user data. The documented standard methods don’t do that however. :slight_smile:

1 Like

While prepared statements should prevent SQL injections, you would still have to sanitize user input to prevent HTML and Javascript attacks, though.

1 Like

Makes sense. Thanks for clearing that up!