Quick question, does Kohana (version 3) automatically escape data that is passed into ORM::factory..... (and everywhere else that has to do with the database)?
For example:
$thread = ORM::factory('thread', $this->request->param('id'));
Would the data passed in the second argument be auto-escaped before it goes in 开发者_开发技巧the SQL query or do I have to manually do it? Probably a stupid question and it's better to be safe than sorry, but yeah... I usually do manually escape the data, but I want to know if Kohana does this for me?
Thanks
It's auto-escaped. The only scenario where you have to worry about escaping is if you're writing your own SQL and inserting your data directly (by way of concatenation, for example), which you shouldn't be doing. The normal ways of querying a database in Kohana are parametrized queries (if you need to provide the SQL yourself), the query builder, and ORM, all of which handle escaping for you.
精彩评论