PHP Adodb Active Record SQL Injection
I can't seem to ascertain whether or not the PHP Adodb Active Record, DB ORM secures against SQL Inject开发者_运维百科ion.
http://phplens.com/lens/adodb/docs-active-record.htm
Specifically I am using the updating and inserting methods, e.g.:
$person = new person();
$person->name_first = $_POST['firstname'];
$person->name_last = $_POST['surname'];
$person->save();
Do the $_POST variables need to be escaped?
I just looked through the code-- it does escape out the variables you pass. You can confirm this by turning on debug mode... or even easier, try writing out a string with single and double quotes and see if it makes it into the table okay :-)
精彩评论