I made a custom module which is actually a bit extended contact form module. I'm saving form data into database.
Is it save just to call $model->save() with values from POST?
This is how I save data:
$data = $this->getRequest()->getPost('partnercontact')
$model->addData($data); $model->save()
May I suppose that Magento sanitize values before saving it into database or my module is vulnerable to SQL injection attacks?
Best Answer
$this->getRequest()
should return an instance ofMage_Core_Controller_Request_Http
that extendsZend_Controller_Request_Http
.From what I know zend sanitizes the request values.
And the actual sql insert and update uses an instance of
Varien_Db_Adapter_Pdo_Mysql
that extendsZend_Db_Adapter_Pdo_Mysql
. This one also should sanitize the queries.But you can never be too careful.