Is there sql injection in DoliDBMysqli

g.levoux · January 17, 2024, 11:13am

Hi everyone,

I am creating a new PDF template and need to access the database to retrieve a value. Here’s my code:

$propal_extrafields = $this->db->query("SELECT * FROM `llx_propal_extrafields` WHERE `fk_object`=".$object->id)->fetch_assoc();

I would prefer to use a prepared statement. Is that possible? Is DoliDBMysqli already protected against SQL injection?

Thanks !

MoisesVortice · January 23, 2024, 10:26am

Yes. You can prepare a statement, something like this:

$stmt = $db->db->prepare($sql);

and use this $stmt to bind parameters:

$stmt->bind_param(bind_login, ...$parameters);