Question
I'm thinking of using RedBean as an ORM-mapper. Currently I'm using my own implementation which does not work very good as the project is getting bigger and more complex.
There however is one question which I'm unable to find out:
How secure is RedBean in terms of someone injecting code/queries/false data?
Let's say I want to use a MySQL-database in the background and I'm getting the incoming data via POST. Is it possible to perform a MySQL-injection with malicious POST-data? Do I have to escape the incoming data myself or does RedBean does something like that in the background? Do I have to worry about something like that in general if I'm using an ORM as database abstraction?
I'm not planning on shortcutting Redbean by processing MySQL-statements directly over it. So this will probably no issue.
Solution
I found the answer myself (to a certain degree):
https://stackoverflow.com/questions/15338520
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianThere is no need to use mysql_real_escape as long as you use parameter binding.
Use the question mark slots or the named slots as shown in the examples.
Please don't use your own homebrewn escaping functions.
Source
Under the 'Converting Records to Beans' section.
OTHER TIPS
You've answered yourself correctly, but also take note of the following post: PDO MySQL: Use PDO::ATTR_EMULATE_PREPARES or not?
