Hi Jared, > I'm just now learning all the intricacies of preventing SQL injection > attacks. I understand the value of using Zend_Db quoting for values that > can be manipulated by users.. what I can't find, though, is a good > "unescape" command. > > If I have an article, for example, that I want to store and then retrieve > and display, I'll quote the article before insertign it. This will, > ofcourse, escape all quotes, but it will also put a set of single quotes > around my entire article. When I then retrieve the article and run > "stripslashes()" to unescape the quotes, it leaves the surrounding single > quotes.
Looking at your example, I think you may be a little confused. Escaping certain characters in preparation for use in an SQL statement simply inserts the values as intended to be read by the end user into the database. There's no need to unescape them following a SELECT statement because no escape characters are stored in the database record. For anyone else that's curious--without escaping, someone might enter the following: Username: admin Password: ' OR '1' = '1 If it's not properly filtered, it could break out of the "AND Password = '(password)'" portion of the WHERE clause and return admin without properly authenticating them. Hope that helps, -Matt
