Im using the Propel framework, for communication with a database. I figured that it's using PDO and makes a bindParam(), when I try to make an input, so SQL injections should be covered.
But does it provide extra seucurity such as strip_tags(), htmlspecialchars() or similar stuff, or should I do this manually?
I have used PDO before so I know the basics, but it's the first time im using Propel.
I would not expect an ORM to protect against XSS attacks. That is a problem that has nothing to do with the database layer (and would cause you problems if you wanted to store HTML).
The only "security" that Propel provides is the parameter binding that you mention. Anything beyond that could cause issues if someone does want to store html tags, special characters, etc. That said, you can extend Propel to do that for you if necessary. For example, you could override the setXxxx() method(s) in your class:
class Book extends BaseBase {
...
public static function setTitle($v) {
return parent::setTitle(strip_tags($v));
}
...
}
Doing something like the above will let you execute strip_tags() on the Book title any time it is set. Since Propel uses the setter method anywhere it can, you should be good. Of course, YOUR code has to actually use that setter everywhere to ensure it happens.