Zend Db avoiding sql injections

About

Asked 9/12, 2009 at 19:1 Answered 9/12, 2009 at 19:15

Solved sql zend-framework sql-injection zend-db

I have the following code:

public function checkLoginDetails($email, $password) {
    $select = $this->select ();
    $select->where ( "password=?", md5($password) );
    $select->where ( "email=?", $email );
    return $this->fetchRow($select);

}

email and password come directly from the user. Do I need to filter email with, say, mysql_real_escape_string or does Zend DB do it for me?

Thank you!

Colunga answered 9/12, 2009 at 19:1 Comment(0)

I was the main developer on Zend_Db, up to Zend Framework 1.0.

In the example you show, the values are interpolated into the query, with appropriate quotes and escaping applied. You don't have to do anything more.

Internally, it uses the quoting function built into the PHP extension for the Zend_Db_Adapter you're using. E.g. PDO::quote().

Deweydewhirst answered 9/12, 2009 at 19:15 Comment(2)

I am using mysqli adapter instead of PDO. Does it make any difference? – Colunga 10/12, 2009 at 0:18

In that case it's using mysqli::real_escape_string(). Same effect. – Deweydewhirst 10/12, 2009 at 0:34

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags