-- iceangel89 <[email protected]> wrote
(on Saturday, 06 June 2009, 08:51 PM -0700):
> Matthew Weier O'Phinney-3 wrote:
> > (In 2.0, we will make escaping the default within Zend_View, and require
> > you to explicitly ask for raw data if you don't want escaping.)
>
> that will be much better!
>
> hmm sometimes if i have a complex query with joins to alot of tables
> ... and i dont have time to find out whats the ZF way to do things ...
> can i use
>
> $val = escapeSql($this->getRequest()->getParam('username')); // is there a
> "escape SQL" function?
> $db->fetchAll("SELECT * FROM Users WHERE username = '" . $val . "'")
Each adapter has a quoteInto() method:
$sql = $db->quoteInto(
'SELECT * FROM Users WHERE username = ?',
$this->getRequest()->getParam('username')
);
$results = $db->fetchAll($sql);
However, as noted before, it's usually easier and better to use
Zend_Db_Select, as it does this basically for you. More on that below.
> and u meant not just Zend_Db_Select right? u refer to the quoting mechanism.
> Zend_Db_Select by itself just gives a normal SQL right? is
> quoteInto()/where() etc that escapes for SQL? what if i need to escape
> something not in where? maybe in the joins or having or something else?
Zend_Db_Select does this for you, as the Select objects are adapter
specific. As an example, assuming you are using Sqlite for your
database, if you do the following:
$select = $db->select();
$select->from(array('u' => 'Users'))
->join(array('g' => 'Groups'), 'u.gid = g.id')
->where('g.name = ?', $group);
you will get the following SQL:
SELECT "u".*, "g".* FROM "Users" AS "u"
INNER JOIN "Groups" AS "g" ON u.gid = g.id
WHERE (g.name = 'foo')
As you can see, it does the appropriate quoting for the database adapter
Read the Zend_Db chapter. If you use the various quoting mechanisms, the
insert/update/delte methods, and Zend_Db_Select, you'll be protecting
your application quite well from SQL injections.
--
Matthew Weier O'Phinney
Project Lead | [email protected]
Zend Framework | http://framework.zend.com/
