Are queries being “escaped” natively in Kirby toolkit, or what do I need to do to prevent MySQL injection?
I found an escape function in the docs, so to secure a query I just have to add ->escape() to the end of it? (roughly)
$bookings->insert(array(
"user" => getUserID($_POST["email"]),
"start_time" => $_POST["start-time"],
"end_time" => $_POST["end-time"],
"date" => $_POST["date"],
"adults" => $_POST["adults"],
"children" => $_POST["children"],
"under5" => $_POST["under5"],
"bookingRef" => $bookingRef,
"paid" => $totalPrice,
"VAT" => $VAT,
"processed" => time()
))->escape();
escape()
can only be used on a string, so that is on each user input separately. Additionally, you should validate your user input to make sure you get the right types and formats.
Since Kirby 2.3, the Kirby database classes use query bindings for every value, so you don’t need to escape anything beforehand (actually that would break your code).
Only make sure that you pass structured data where possible (like in your example with the array). You can also pass a string to some methods (like where()
), but then you need to do escaping beforehand.
You can check if everything is escaped by using the ->debug()
method and then printing the result of the query. The SQL query should then include bindings for every value.
Please note that we can’t guarantee for proper SQL injection protection. You are responsible for the security of your code.
Ok, great. So I don’t have to use that mysql real escape function thingy’
In most cases not.