phalcon query return Scanning error before

Question

I'm using the phalcon framework, I want to execute this query

public function updateAction($id)
{
$email = $this->request->getPost('email');
 $check_email_unique = Users::find(['conditions' => 'id != ' .$id. ' AND email = '. $email]);

echo $check_email_unique->id;
return ;
    }

but when test, the function on postman this returns error

You must as single quote ["conditions"=> '"id != '" .$id. "' AND email = '". $email."'"] — Nguyên Ngô Duy, Jan 21 '19 at 09:51

score 2 · Accepted Answer · answered Jan 21 '19 at 11:20

You want to be binding your parameters because what you are doing is vulnerable to SQL injection.

Try this:

$check_email_unique = Users::findFirst([
    'conditions' => "email = :email: AND id != :id:",
    'bind' => [
        'email' => $email,
        'id' => $id
    ]
]);

score -1 · Answer 2 · edited Jan 21 '19 at 12:02

-1

Thanks all .. i solved my problem like that :

    public function updateAction($id)
        {
        $email = $this->request->getPost('email');
        $check_email_unique = Users::findFirst(['conditions' => "email = '".$email."' AND id != '".$id."'"]);

    echo  $check_email_unique->id; 
return ;
    }

edited Jan 21 '19 at 12:02

Ritul Lakhtariya

362
1
16

answered Jan 21 '19 at 10:29

Ahmad Abo Zaid

340
1
16

This answer is vulnerable to injection attacks. You need to be binding your parameters as stated above. – David Duncan Jan 29 '19 at 20:12
There is a better way on this by binding-it – Louie Miranda Jul 12 '22 at 10:09

phalcon query return Scanning error before

2 Answers2