I couldn’t find a clear answer in the docs, so I thought I’d ask here. Do Kirby’s SQL methods require any pre-sanitization beforehand to protect against SQL injection, or do they take already care of this behind the scenes?
The Kirby DB classes use prepared statements with the PDO class, so yes, that should be safe against SQL injections as long as you don’t manually concatenate SQL strings from user data. The documented standard methods don’t do that however. 
1 Like
While prepared statements should prevent SQL injections, you would still have to sanitize user input to prevent HTML and Javascript attacks, though.
1 Like
Makes sense. Thanks for clearing that up!