Home/ Questions/Q 8910315
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T03:39:34+00:00

I am quite new to the FuelPHP framework. Right now I’m implementing an autocomplete

  • 0

I am quite new to the FuelPHP framework. Right now I’m implementing an “autocomplete” for a list of locations.

My code looks like this:

public function action_search($term=null){
    $clean_query =  Security::clean($term);
    $data["locations"] = array();
    if ($clean_query != "") {
        $data["locations"] = Model_Orm_Location::query()
                             ->where("title", "like", $clean_query."%")
                             ->get();
    }

    $response = Response::forge(View::forge("location/search", $data));
    $response->set_header("Content-Type","application/json");
    return $response;
}

As you can see, I’m concatenating a LIKE statement and it sort of feels bad to me. Is this code safe against SQL injections ? If yes, then is it because:

  • Security::clean will remove all mess;
  • where() in the ORM query will do the filtering?
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Looking at the implementation of Security::clean in the source code of core/class/security.php, in your case the applied filters depend the configuration security.input_filter, which is empty by default. So no filter is applied.

    But when you dig deep into the database abstraction, you will see, that when the query is compiled just before execution, the query builder will apply quote on the value that was supplied in the where condition, which will then apply escape on string values. The implementations of that escape method depend on the DBMS connection:

    This reflects today’s best practices. So, yes, this is safe against SQL injections.

    • 0