File tree Expand file tree Collapse file tree
user_guide_src/source/database Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -19,6 +19,30 @@ system.
1919 :local:
2020 :depth: 2
2121
22+ ************************
23+ SQL Injection Protection
24+ ************************
25+
26+ You can generate SQL statements quite safely with the Query Builder. However,
27+ it is not designed to prevent SQL injection no matter what data you pass.
28+
29+ Arguments passed to the Query Builder can be:
30+ 1. **identifiers ** such as field or table names
31+ 2. their **values **
32+ 3. a part of **SQL strings **
33+
34+ The Query Builder will escape all **values ** by default.
35+
36+ It will also try its best to properly protect **identifiers **
37+ and identifiers in **SQL strings ** by default.
38+ However, flexibility is a priority and is far from perfect.
39+ Therefore, you should never feed in user input to them without proper validation.
40+
41+ Also, many methods have the ``$escape `` parameter that can be set to disable escaping.
42+ If ``$escape `` is set to false, no protection is provided, so you must ensure that
43+ they are properly escaped or protected by yourself.
44+ The same is true when using ``RawSql ``, which specifies a raw SQL statement.
45+
2246*************************
2347Loading the Query Builder
2448*************************
You can’t perform that action at this time.
0 commit comments