I am using the insert() function from Zend_Db_Table_Abstract.
The data being inserted is user input, so naturally I am curious if ZF does the data cleansing for me, or if I should do it myself before I call the insert() function.
Asked
Active
Viewed 2,257 times
2
-
Thanks for the help guys. I have updated my DbTable classes so whenever I query a text field, I first run: $data = $this->_db->quote($data); Additionally, integers have become: $data = (int)$data; – May 24 '10 at 23:30
2 Answers
2
When you need to use quoting (quote(), quoteInto()) with Zend_Db_Table:
insert(no)update(yes)delete(yes)- querying with SQL using the adapter directly (yes).
Use quotes with Zend_Db_Table_Select (usually not); make sure you examine the output of the query.
Here's a great answer from one of the authors of Zend_Db (avoiding MySQL injections with the Zend_Db class).
Community
- 1
- 1
typeoneerror
- 55,990
- 32
- 132
- 223
0
The Zend_Db insertion method sanitizes the parameters sent.
Dan Heberden
- 10,990
- 3
- 33
- 29
-
1Not entirely true. _Table->update() ... "Note: The values and identifiers in the SQL expression are not quoted for you. If you have values or identifiers that require quoting, you are responsible for doing this. Use the quote(), quoteInto(), and quoteIdentifier() methods of the database adapter." – typeoneerror May 24 '10 at 16:31
-
Sweet, thanks for the info (updating). Incidentally, you don't have to encode SQL in the update function with Zend_Db_Expr() `(e.g. new Zend_Db_Expr('CURDATE()') )` – Dan Heberden May 24 '10 at 16:33