0

I am using propel. I'm posting a description to page and saving it by propel query

$desc="my school's is here that why "" i have work";    // this data is posting by my form input.
$education->setEddescription($desc);
$education->save();

but in database it is not escaping the ' and "" values.

thanks.

SonalPM
  • 1,317
  • 8
  • 17
Chetan Badgujar
  • 55
  • 1
  • 10
  • ORMs do escape values for SQL query context (Propel uses bound params). And the database does not *need* to store anything escaped, just the actual values. Do you perhaps have a code issue elsewhere? – mario Oct 10 '14 at 04:55
  • i am printing that description in json. "description":"my schools is here that "" why i have work" and getting error in json – Chetan Badgujar Oct 10 '14 at 05:04
  • 1
    Well then **don't** manually construe invalid JSON. There is `json_encode()` which handles things properly. – mario Oct 10 '14 at 05:29

1 Answers1

2

Reference: Is Propel's fromArray/fromJSON feature safe from SQL injection?

Propel not only uses PDO for the queries, it also utilizes Prepared Statements via PDO, which are pretty good when it comes to mitigating SQL Injection attacks (and performance enhancing).

Note that just using PDO does NOT guarantee any protection against SQL Injection, always use Prepared Statements.

So as an answer to your question, yes, Propel fully utilizes PDO's abilities to protect from SQL Injection.

Community
  • 1
  • 1
Teerath Kumar
  • 488
  • 5
  • 15