2
votes

I want to use the following idiorm (orm): https://github.com/j4mie/idiorm.

It features following:
Built on top of PDO.
Uses prepared statements throughout to protect against SQL injection attacks.

Now, in https://github.com/j4mie/idiorm/blob/master/idiorm.php I don't see the usage of prepared statament so my question is-> if I use the following code, am I using orm+pdo prepared statements that is am I protected from sql injection attacks:

require_once 'idiorm.php';
ORM::configure(array(
    'connection_string' => 'mysql:host=localhost;dbname=my_database',
    'username' => 'database_user',
    'password' => 'top_secret'));
ORM::configure('return_result_sets', true);
ORM::configure('driver_options', array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8'));
ORM::configure('error_mode', PDO::ERRMODE_EXCEPTION);

$people = ORM::for_table('person')
                ->where(array(
                    'name' => $_POST["name"],
                    'age' => $_POST["age"]
                ))
            ->find_one();
1

1 Answers

1
votes

Yes, Idiorm uses prepared statements and you should be protected from SQL injection attacks.

You can check the _execute method that is called when you execute a query. It uses bindParam method to attach the parameters.