Re: [fw-general] Zend DB Table -- Delete

Wed, 22 Aug 2007 09:08:20 -0700 

Strange I use this all the time with my Inserts:

Also in the manual:
Example 9.87. Example of finding rows by an expression array with multiple terms 

$table = new Bugs();

$where = array(
            'bug_status = ?'  => 'NEW',
            'reported_by = ?' => 'dduck'
        );

$rows = $table->fetchAll($where);
// generated SQL contains:
// WHERE bug_status = 'NEW' AND reported_by = 'dduck'
This is for a select but I have found it works for Inserts - does the above actually guard against SQL injecttion, or am I mistaken as the above example doesnt contain variables. 

Slightly confused now.

Matthew Weier O'Phinney wrote:

-- Ian Warner <[EMAIL PROTECTED]> wrote
(on Wednesday, 22 August 2007, 11:48 AM +0900):

Thank you for the guidance.

The manual is misleading then:
"The second argument can be an array of SQL expressions. The expressions are combined as Boolean terms using an AND operator.
Since the table delete() method proxies to the database adapter delete() method, the second argument can be an array of SQL expressions. The expressions are combined as Boolean terms using an AND operator."
It kinda reads that I create the array and the AND is substitued autmoaticall on iteratating the array I pass in. 

That *does* work. What *didn't* work in your original attempt was
placeholder substitution:

    'user_id = ?' => $user

(BTW, there is *no* place in Zend_Db where the above would work.)

The following *would* work:

    $adapter = $table->getAdapter();
    $where = array(
        $adapter->quoteInto('user_id = ?', $user),
        $adapter->quoteInto('video_id = ?', $this->_getParam('code')),
    );



Matthew Weier O'Phinney wrote:

-- Ian Warner <[EMAIL PROTECTED]> wrote
(on Tuesday, 21 August 2007, 05:31 PM +0900):

I have

$where = array(
'user_id  = ?' => $user,
 'video_id = ?' => $this->_getParam('code')
);

$table->delete($where);

You need a well-formed WHERE clause, not an assoc array of column/value
pairs. Try this:

   $adapter = $table->getAdapter();
   $where = $adapter->quoteInto('user_id = ?', $user)
. ' AND ' . $adapter->quoteInto('video_id = ?', $this->_getParam('code')); 
   $table->delete($where);



and I am getting the Exception:
Failed: Mysqli prepare error: Unknown column 'M1F94C3359F8FFC35B' in 'where clause' 

$this->_getParam('code') = M1F94C3359F8FFC35B
I just dont understand why it is using the value of code as a column name when it should be using video_id ? 

Cheers

Ian

Reply via email to