Revision: Fri, 31 May 2024 16:10:42 GMT


Cycle ORM query builder will automatically pass all of the used parameters as part of the prepared statement. However, you have to remember that column and table names have to be escaped on the application level.


Avoid using user provided identifiers without a proper whitelist:

$users = $userRepository->select();

$users->where($userParam, '=', $value); // possible SQL injection

Avoid using user values in orderBy as well:

$users->orderBy($userParam, $userDirection); // possible SQL injection

Same goes for aggregation methods sum, avg, min, max.

Expression and Fragments

No user input must be used in Fragment and Expression wrappers:

$users->where($name, '=', new \Cycle\Database\Injection\Expression("CONCAT($userValue)")); // possible SQL injection

Parameter $userValue must be passed by using bindings:

$value = new \Spiral\Database\Injection\Parameter($userValue);
$concat = new \Spiral\Database\Injection\Expression("CONCAT(?)", $value);
// or
$concat = new \Spiral\Database\Injection\Expression("CONCAT(?)", $userValue); // it will be wrapped in Parameter class automatically.

$users->where($name, '=', $concat);

Array Parameters

The ORM will not allow you to use array parameters outside of Parameter scope:

$users->where($id, 'IN', [1, 2, 3]); // compile exception
$users->where($id, 'IN', new \Cycle\Database\Injection\Parameter([1, 2, 3])); // valid approach
Edit this page