Is Propel's fromArray/fromJSON feature safe from SQL injection?

Asked 28/6, 2012 at 13:35 Answered 28/6, 2012 at 17:55

The Propel ORM documentation mentions a neat import/export feature using functions like fromArray and fromJSON, that should allow something like this:

$foo = new Widget();
$foo->fromArray($_POST);
$foo->save(); /* Aaand you're done! */

...but the documentation doens't mention if using fromArray this way is supposed to be safe, i.e. if fromArray can handle untrusted input. My guess would be that it's all right - the default setters are injection-proof, and the whole deal is based on PDO - but I'd like to be sure.

Jewelljewelle answered 28/6, 2012 at 13:35 Comment(0)

Propel not only uses PDO for the queries, it also utilizes Prepared Statements via PDO, which are pretty good when it comes to mitigating SQL Injection attacks (and performance enhancing).

Note that just using PDO does NOT guarantee any protection against SQL Injection, always use Prepared Statements.

So as an answer to your question, yes, Propel fully utilizes PDO's abilities to protect from SQL Injection.

Venita answered 28/6, 2012 at 13:40 Comment(0)

Propel is safe as Adnan said, but when you decide to use the fromArray() method, never pass the $_POST global variable directly. Otherwise, you open the door to the mass assignment attack.

You always have to check input data, in other words, you should never trust your users.

Decoction answered 28/6, 2012 at 17:55 Comment(0)

Recommended topics

Hot tags