Fix SQL Injection (Legacy & Modern) in FuelPHP

FuelPHP's Database Layer is built on PDO, but it allows developers to shoot themselves in the foot via raw queries and improper Query Builder usage. SQL Injection in FuelPHP occurs when untrusted input is concatenated directly into SQL strings instead of being bound as parameters. To secure legacy and modern FuelPHP applications, you must transition from raw string manipulation to the Query Builder's internal parameterization or the ORM's abstraction layer.

The Vulnerable Pattern

// VULNERABLE: Raw query with string concatenation
$id = \Input::get('id');
$user = \DB::query("SELECT * FROM users WHERE id = " . $id)->execute();
// VULNERABLE: Improper Query Builder usage (treating input as literal)
$username = \Input::post(‘username’);
$data = \DB::select()->from(‘users’)->where(‘username’, ’=’, ”‘$username’”)->execute();

The Secure Implementation

The core fix involves moving from string concatenation to prepared statements. In the 'Secure' examples, the Query Builder automatically escapes and quotes values passed as the third argument to the where() method. For raw SQL using DB::query(), the parameters() method must be used to bind values to named placeholders (e.g., :id). This ensures that the DB driver treats the input as data, not executable code. If working with legacy code where refactoring is impossible, use \Database_Connection::instance()->quote() as a manual escaping fallback, though parameter binding is the preferred modern standard.

// SECURE: Parameterized Raw Query
$id = \Input::get('id');
$user = \DB::query("SELECT * FROM users WHERE id = :id")
            ->parameters(['id' => $id])
            ->execute();
// SECURE: Modern Query Builder (Automatic Binding)
$username = \Input::post(‘username’);
$data = \DB::select()->from(‘users’)
->where(‘username’, ’=’, $username)
->execute();
// SECURE: ORM Approach
$user = Model_User::find($id);