The two global functions just execute SQL, you should use AdjustSql() to escape the value, see https://discourse.hkvstore.com/t/executescalar-sql-best-practice/8272/1 use prepared statements, you may use DBAL connection and it’s methods directly, e.g. Conn()->prepare(“Your SQL”), see Using Prepared Statements.