It's actually doing one better than quoting. The insert() method uses
parameterized queries for most values. So under the covers it's doing
this:
INSERT INTO tablename (col1, col2, col3, col4) VALUES (?, ?, ?, ?)
Then the values are sent as a separate operation. So there's no
opportunity for SQL injection.
The exception is if your column-value pair specifies the value as a
Zend_Db_Expr, so you can insert the value of an expression. For
example:
$db->insert('tablename', array(
'col1' => 'value',
'col2' => 'value',
'col3' => 'value',
'col4' => new Zend_Db_Expr("DATE '2007-06-13'")
);
This results in the SQL statement:
INSERT INTO tablename (col1, col2, col3, col4) VALUES (?, ?, ?, DATE
'2007-06-13')
That is, the string specified in the Zend_Db_Expr is treated completely
literally, and so you are responsible for providing any quoting
necessary. There's no way Zend_Db can do this for you, because the expr
can be any legal SQL syntax.
Regards,
Bill Karwin
> -----Original Message-----
> From: Cristian Bichis [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 13, 2007 4:46 AM
> To: [email protected]
> Subject: [fw-general] Zend_DB_Adapter question
>
> Hello,
>
> Anyone knows if insert method of adapters is automatically quoting
> things form array $bind: Column-value pairs. ?
>
> I am trying to avoid SQL Inject attempts...
>
> --
> Cristian Bichis
> www.zftutorials.com | www.zfforums.com | www.zflinks.com |
> www.zftalk.com
>
>
