AnsweredAssumed Answered

How do I avoid SQL injection when using the DBManagerFactory? Is there any way to use parametrized queries?

Question asked by Alan Apter on Aug 24, 2016
Latest reply on Sep 1, 2016 by Alan Apter

The DBManager - http://support.sugarcrm.com/Documentation/Sugar_Developer/Sugar_Developer_Guide_7.7/Data_Framework/Database/DBManagerFac…  - is indispensable for querying the database.

 

My favorite way of preventing SQL injection is binding variables, so the query and the variables get sent to the database. In PHP I'd use PDO with parameterized queries (using bindParam()). This thread recommends it for all sorts of reasons - appsec - SQL injection -- why isn't escape quotes safe anymore? - Information Security Stack Exchange .

 

I'm pretty sure PDO is being used in the background in the DBManager. Is there any way to use parameterized queries using the DBManager?

Outcomes