The Propel ORM documentation mentions a neat import/export feature using functions like fromArray and fromJSON, that should allow something like this:
$foo = new Widget();
$foo->fromArray($_POST);
$foo->save(); /* Aaand you're done! */
...but the documentation doens't mention if using fromArray this way is supposed to be safe, i.e. if fromArray can handle untrusted input. My guess would be that it's all right - the default setters are injection-proof, and the whole deal is based on PDO - but I'd like to be sure.
Propel not only uses PDO for the queries, it also utilizes Prepared Statements via PDO, which are pretty good when it comes to mitigating SQL Injection attacks (and performance enhancing).
Note that just using PDO does NOT guarantee any protection against SQL Injection, always use Prepared Statements.
So as an answer to your question, yes, Propel fully utilizes PDO's abilities to protect from SQL Injection.
Propel is safe as Adnan said, but when you decide to use the fromArray() method, never pass the $_POST global variable directly. Otherwise, you open the door to the mass assignment attack.
You always have to check input data, in other words, you should never trust your users.
来源:https://stackoverflow.com/questions/11245886/is-propels-fromarray-fromjson-feature-safe-from-sql-injection