XF 2.0 Is it a safe approach to avoid SQL injection?

abdfahim · Nov 25, 2017

When I need to use raw SQL, what is the correct approach to avoid SQL injection? For example, when $userinput is a GET parameter (hence any end user can set it to anything), is the below query safe?

Code:

$db = \XF::db();
$db->fetchAllKeyed("SELECT ..........................
                    HAVING column_expr LIKE ?", "user_id", $userinput);

assuming the query is too complex to use Finder object.

Chris D · Nov 25, 2017

That's fine - the ? is replaced with $userInput after being made safe.

XF 2.0 Is it a safe approach to avoid SQL injection?

abdfahim

Well-known member

Chris D

XenForo developer

Similar threads

We value your privacy