When doing this stuff in PHP, I would have to manually sanitize all user input to prevent things like Sql-Injection. Do I still need to do this, or does the XData framework prevents this type of attack?
Depending on how you're passing parameters into XData, this is still very likely required and a good practice in any event. Keep in mind that an XData server might be receiving requests from unknown (and not well-meaning) third parties, so it's best to treat them accordingly.
1 Like
Is there a hook or event where I can see user input on the server? Or even the querystring
For service operations you of course already see the values in the input parameters.
For Aurelius CRUD endpoints, you can use XData events like OnEnttyGet and OnEntityList: