phpmysqlzend-frameworkzend-db-table

avoiding MySQL injections with the Zend_Db class


I currently use Zend_Db to manage my queries. I've written already code that preforms queries like the one below:

$handle->select()->from('user_id')
                   ->where('first_name=?', $id)
                   ->where('last_name=?', $lname)

I've done this without sanitizing the input, assuming Zend_Db will. Does Zend do this?

Another question: Does Zend_Db sanitize insert('table', $data) and update queries?

Thanks.


Solution

  • I wrote a lot of the code for database parameters and quoting in Zend Framework while I was the team lead for the project (up to version 1.0).

    I tried to encourage best practices where possible, but I had to strike a balance with ease of use.

    Note that you can always examine the string value of a Zend_Db_Select object, to see how it has decided to do quoting.

    print $select; // invokes __toString() method
    

    Also you can use the Zend_Db_Profiler to inspect the SQL that is run on your behalf by Zend_Db.

    $db->getProfiler()->setEnabled(true);
    $db->update( ... );
    print $db->getProfiler()->getLastQueryProfile()->getQuery(); 
    print_r $db->getProfiler()->getLastQueryProfile()->getQueryParams(); 
    $db->getProfiler()->setEnabled(false);
    

    Here are some answers to your specific questions: