Re: [fw-general] Re: Generating a mysql IN() operator with arrays and quoteInto possible?

Wed, 13 Apr 2011 08:31:28 -0700 

Be careful,
If you have only one placeholder and an array of values to bind to it, you'll get an exception about there being a mismatch in placeholders versus bound variables. Be sure to use the array_fill() method to execute a proper escaping on ALL of the data you input into your method. Furthermore, if you join an array of values, then bind that string to the placeholder, you will be escaping the whole string and not the individual values. For example: 

$array = array(1, 2, 3);
$SQL = "SELECT * FROM myTable WHERE id IN(?)";
$query = $this->_db->query($SQL, join(',', $array));

The resulting SQL will look like:

SELECT * FROM myTable WHERE id IN('1, 2, 3');

Which will yield 0 results since id is a number and not a string.

It would be best to generate a series of placeholders using array_fill() so that 
each value is escaped and bound properly.



After reviewing the method I showed you earlier, you would end up with a syntax 
error. My apologies for this. Try this instead:


function getList(array $list)
{
  $placeholders = array_fill(0, '?', count($list));
  return $this->_db->query(
    $this->select(true)
@h@    ->where(sprintf("column IN(%s)", join(', ', $placeholders), $list)
  );
}

The @h@ is the highlighted line of change of which you should be wary.


Additionally, I don't trust quoteInto(). IMO, it's not the safest way of 
escaping data as it's not binary-/charset-safe.


Hope this helps,
-Kizano
//-----
Information Security
eMail: [email protected]
http://www.markizano.net/

On 04/13/2011 11:16 AM, annette66 wrote:

Thank you - I was being an idiot and had forgotten that I had actually
imploded the arrays elsewhere and joined them as a string - absolutely
nothing to do with quoteInto which does simply work:

->where("blah IN (?)", $array); or
->quoteInto(' blah IN (?)', $array);




--
View this message in context: 
http://zend-framework-community.634137.n4.nabble.com/Generating-a-mysql-IN-operator-with-arrays-and-quoteInto-possible-tp3447311p3447428.html
Sent from the Zend Framework mailing list archive at Nabble.com.



--
List: [email protected]
Info: http://framework.zend.com/archives
Unsubscribe: [email protected]
























					Reply via email to