Version 6 pre-stable
This version of Silverstripe CMS has not yet been given a stable release. See the release roadmap for more information. Go to documentation for the most recent stable version.

SQL placeholders

SQL placeholders are ? characters used as a placeholder for a value in a SQL query as a way to prevent SQL injection attacks. They are used by default extensively in queries created by the ORM.

For increased performance, placeholders are not used when filtering by an array of integer only values on a column that is either a DBPrimarykey or a DBForiegnKey. An example of this type of ORM filter is ->filter(['ID' => $ids]) which will turn into a SQL containing WHERE IN (<ids>).

There is no chance of SQL injection because of the exclusive use of integers for values. However, if you still wish for placeholders to be used for this type of query then you can enable them with the following config:

SilverStripe\ORM\DataList:
  use_placeholders_for_integer_ids: true