Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is Propel's fromArray/fromJSON feature safe from SQL injection?

The Propel ORM documentation mentions a neat import/export feature using functions like fromArray and fromJSON, that should allow something like this:

$foo = new Widget();
$foo->fromArray($_POST);
$foo->save(); /* Aaand you're done! */

...but the documentation doens't mention if using fromArray this way is supposed to be safe, i.e. if fromArray can handle untrusted input. My guess would be that it's all right - the default setters are injection-proof, and the whole deal is based on PDO - but I'd like to be sure.

like image 374
Wander Nauta Avatar asked Jun 28 '12 13:06

Wander Nauta


2 Answers

Propel not only uses PDO for the queries, it also utilizes Prepared Statements via PDO, which are pretty good when it comes to mitigating SQL Injection attacks (and performance enhancing).

Note that just using PDO does NOT guarantee any protection against SQL Injection, always use Prepared Statements.

So as an answer to your question, yes, Propel fully utilizes PDO's abilities to protect from SQL Injection.

like image 123
Adi Avatar answered Oct 19 '22 23:10

Adi


Propel is safe as Adnan said, but when you decide to use the fromArray() method, never pass the $_POST global variable directly. Otherwise, you open the door to the mass assignment attack.

You always have to check input data, in other words, you should never trust your users.

like image 20
William Durand Avatar answered Oct 20 '22 01:10

William Durand