Hi, I was wondering if there is an automatic escaping / sanitization of the variables we use in custom query (either by using :P1 or directly {{my_var}} in the request)?
Personally, I doubt there is much done there - but you could pre-process the values yourself removing any unwanted chars or constructs.
Safest bet is to try various use cases for yourself and check the final query as sent to the DB…
1 Like
Yes, the parameters are automatically escaped/sanitized when you have set them up as parameters in you custom query. Use :P1 or ? and set them up as parameter, don’t use expressions directly in the query.
In PHP for example we use PDO and we create a prepared statement first then the parameters are bound and then executed. (https://www.php.net/manual/en/pdostatement.bindparam.php)
1 Like
Thank you @patrick for your answer 
I use directly expression when I want to use a variable as the name of a column or when the variable content is something like: WHERE column_name = 'test'. Is it an issue?
As long it is a static value and not some user input then it is not a problem. User input should only be passed using variables when possible or you should have a good validation on it to prevent sql injection.
1 Like