SQL injection

[mudmin]

Hi Jakob. I deleted your link to that exploit. While I appreciate the person sharing that exploit, the user needed admin access to do it. With admin access, you generally have full run of the database, so we don't really consider that an exploit. We did, however, work with that whitehat guy to close the hole.

PDO (the system userspice uses to interact with the database) is extremely resistant to SQL injection. There are 2 major things that are responsibility of the coder to do.
1. Never put $_POST data in the DB unsanitized. Usually the best way to do this is instead of doing $_POST['username'] do Input::get('username')

2. Never use POST or GET data in the db unbound. In other words, instead of doing
$username = Input::get('username');
$db->query("SELECT * FROM users WHERE username = $username");
do
$db->query("SELECT * FROM users WHERE username = ?",array($username));

Those two things will keep you very very safe overall.

The only other thing I can say is if you want the logged in user's id, don't do something like a hidden input with the user id in it. Especially if it is a user-facing feature. Do something like $id = $user->data()->id when processing $_POST