mysql_real_escape_string with Zend

Asked 31/12, 2011 at 2:17 Answered 24/2, 2016 at 6:40

Solved php zend-framework zend-db mysql-real-escape-string

I am developing a web application using zend framework. For select statements I have used following way.

Ex:

public function getData($name)
{
  $sql = "SELECT * from customer where Customer_Name = '$name'";
  return $this->objDB->getAdapter()->fetchAll ($sql);
}

This works fine. But If I send customer name as : colvin's place, The query fail. And I know it's because of the single quote.

Earlier I used addslashes PHP function. But I saw it is not a good way to do this. This time I used mysql_real_escape_string PHP function.

The issue is it says following warning.

Warning</b>: mysql_real_escape_string() [<a href='function.mysql-real-escape-string'>function.mysql-real-escape-string</a>]: Access denied for user 'ODBC'@'localhost' (using password: NO)

This is because of the mysql_real_escape_string function needs a connection to the database opened by mysql_connect. My question is how can I use this with *Zend_DB* classes. I need to use custom select queries always. Appreciate your other suggestions if available.

Thank you

Auguste answered 31/12, 2011 at 2:17 Comment(2)

Did yo try using Zend_DB_Statement – Nikolaus 31/12, 2011 at 2:23

I use addslashes() and for integers Intval(). But using addslashes is a bad practice. – Protero 31/7, 2012 at 14:3

You can use the quote() function provided by Zend_Db:

http://framework.zend.com/manual/en/zend.db.adapter.html#zend.db.adapter.quoting.quote

Peavey answered 31/12, 2011 at 3:19 Comment(2)

Thank you. I will check that. – Auguste 31/12, 2011 at 3:32

The reason you don't just post link is because they tend to return 404 – Swithin 18/1, 2016 at 8:2

You could use parameter binding as well, then the method will look like:

public function getData($name)
{
  $sql = "SELECT * from customer where Customer_Name = :name";
  return $this->objDB->getAdapter()->fetchAll ($sql, ['name' => $name]);
}

Then your data will be escaped automatically

Trentontrepan answered 31/10, 2014 at 15:31 Comment(0)

I had this problem, I used this way and is working correctly:

You can use quote():

The quote() method accepts a single argument, a scalar string value. It returns the value with special characters escaped in a manner appropriate for the RDBMS you are using, and surrounded by string value delimiters. The standard SQL string value delimiter is the single-quote (').

But quote returns a string with 'string' (return it inside quotation), for example I get an string from user from a input-text box (or by URL in GET method)

$string = $this->parameters['string']; // This is like $_POST or $_GET
$string = $this->db->quote($string);
$string = substr($string, 1, strlen($string)-2);   
//The above line will remove quotes from start and end of string, you can skip it

Now we can use this $string, and it is like what mysql_real_escape_string returns

Speight answered 24/2, 2016 at 6:40 Comment(1)

why not simply trim($this->db->quote($string), '"\'"); – Careless 5/9, 2017 at 14:26

I had the same problem and this solution works fine for me. I hope this will help. you can do something like this:

$quote_removed_name = str_replace("'","''",$name);

then write your query this way:

$sql = "SELECT * from customer where Customer_Name = '$quote_removed_name'";

Stateroom answered 31/7, 2012 at 13:38 Comment(2)

How do you ensure that there are no other characters that need escaping? mysqli_real_escape_string() knows them all, and they depend on the encoding setting of the database connection. – Revengeful 11/10, 2012 at 8:1

Furthermore, you don't always want to remove quotes (as yours is effectively doing). The solution you present isn't solving the problem, it's a band-aid for part of the problem. – Downspout 14/11, 2013 at 23:33

Recommended topics

Hot tags