I use PHP and make my SQL calls with an ORM called Idiorm.
A request might look like this:
$person = ORM::for_table('person')->create();
$person->name = $_POST['name'];
$person->age = $_POST['age'];
$person->save();
It works just fine but it might not be secure against SQL injections? What is the correct / best way to solve this? Example?
From their readme:
Features
- Built on top of PDO.
- Uses prepared statements throughout to protect against SQL injection attacks.
However, for the table name it says
Note that this method *does not escape its query parameter and so the table name should not be passed directly from user input.*
Same goes for limiting, ordering and grouping, so for those you need to think of alternate methods (such as letting only ascii-7 chars to pass, for example). If you need to do it, limits are just integers, so you can do ctype_digit check. For ordering and grouping, you could check for alphanumerics, assuming you don't have anything else in your column names. That can be done with ctype_alnum.
But the query you have there it should be fine as it doesn't have those.
Of course, you shouldn't just believe it - test it.