afaik your attributes will be stored with eZPersistentObject::storeObject. As you can see in http://pubsvn.ez.no/doxygen/ezpersistentobject_8php-source.html (line 00501 i.e) it makes use of $db->escapeString( $value ) which prevents SQL injection.
HTH
Sascha
You must be logged in to post messages in this topic!