ClanCats Logo


Parameter parsing and escaping

One important thing to know is that Hydrahon will try to parse and auto escapes your parameters. Read this carefully to avoid unexpected behavior.

Warning: First of all, hydrahons escaping does NOT prevent SQL injection! Prepared statements will do that job for you. Hydrahon escapes keys & names to avoid a collision with a reserved keywords.


For example when we define the following select query.

$h->table('users')->select('id, name, password');

And dump the query object:

class ClanCats\Hydrahon\Query\Sql\Select#9 (14) {
  protected $fields =>
  array(3) {
    [0] => array(2) {
      [0] => string(2) "id" 
      [1] => NULL
    [1] => array(2) {
      [0] => string(4) "name" 
      [1] => NULL
    [2] => array(2) {
      [0] => string(8) "password" 
      [1] => NULL

We can see that Hydrahon parsed the given string and exploded it into separate values.

The same thing happens with the as keyword and when you add a database prefix.

$h->table('users')->select('db.fullname as name');

But in this case, the escaping will happen by executing the query. This is the resulting SQL query:

select `db`.`fullname` as `name` from `users`

As you can see all field names have been quoted. This is done to prevent collisions with reserved SQL keywords.