Sql Injection DBManager

Does anybody knows for sure if the db->query() method uses PDO, sanitizes the input query statement somehow? or should I use another method to make sure I don’t have any sql injection issue?

For example. I’m using this:
$sql = “SELECT id FROM accounts WHERE id=’$id’ AND deleted = 0”;
$result = $GLOBALS[‘db’]->query($sql);

$id is a query string parameter (url)


It is not PDO

You need to sanitize yourself (if some part of the query is provided by a user or an untrusted source. There are methods in the DBManager to sanitize.


    $idQuoted = $db->quoted($id);
    $q = "SELECT name FROM contacts WHERE id='$idQuoted'";
    $r = $db->query($q);
1 Like