Fix SQL Injection (Legacy & Modern) in Spiral

Spiral Framework's DBAL and Cycle ORM are secure by default, but developers often bypass these protections by using raw queries for complex logic. This guide targets the 'Legacy' approach (raw SQL via DatabaseInterface) and the 'Modern' approach (Cycle ORM) to eliminate SQL Injection vectors.

The Vulnerable Pattern

// VULNERABLE: Direct string interpolation in DatabaseInterface
public function getUser(string $id): array
{
    $sql = "SELECT * FROM users WHERE id = '" . $id . "'";
    return $this->db->query($sql)->fetchAll();
}
// VULNERABLE: Unsafe raw expression in ORM Select
$users->select()->where(new Expression(“status = ‘$status’”))->fetchAll();

The Secure Implementation

The vulnerability occurs when user-controlled data is concatenated directly into SQL strings, allowing an attacker to manipulate the query logic (e.g., using ' OR 1=1). The fix is two-fold: 1. In legacy/low-level DBAL code, use positional (?) or named (:id) placeholders; the underlying PDO driver handles the escaping and quoting. 2. In modern Spiral apps, utilize the Cycle ORM Query Builder or Repositories. Cycle automatically uses prepared statements for all filter criteria passed via arrays, effectively neutralizing the injection vector at the driver level.

// SECURE: Using Parameterized Queries (DBAL)
public function getUser(string $id): array
{
    return $this->db->query(
        "SELECT * FROM users WHERE id = ?",
        [$id]
    )->fetchAll();
}
// SECURE: Using Cycle ORM Repository (Preferred)
public function getUser(string $id): ?User
{
return $this->users->findByPK($id);
}
// SECURE: Using Named Placeholders in Select
$users->select()->where([‘status’ => $status])->fetchAll();