views:

110

answers:

1

I've got few doubts regarding quoting mysql queries in Zend framework. Though this question has helped me a bit but few things are still confusing:

1) $table is Zend_Db_Table. Trying to fetch a row from the table.

$where[] = $db->quoteInto('id = ?', $id);
$where[] = $db->quoteInto('user_id = ?', $user_id);
$row = $table->fetchRow($where);

Do I need to use quoteInto here or would it be automatically quoted in fetchRow? What'd be the better way for this kind of query? Could 2 of the quoteInto be merged into one, if required at all?

2) $table is Zend_Db_Table. Trying to save a row in the table.

$tablerow = $table->createRow();
$rowdata = array('id' => $id, 'user_id' => $user_id);
$tablerow->setFromArray($rowdata);
$ret = $tablerow->save();

Do I need to use some sort of quote function here?

3) $table is Zend_Db_Table. Trying to update a row in the table.

$row = $table->fetchRow($where);
$row->name = $name; 
$row->save();

Do I need to quote $name in second step?

4) General query

A)

$sql = "SELECT * FROM users where id=? and name=?";
$results = $db->fetchAll($sql, array($id, $name));

Do I need to quote here?
B)

$sql =  "SELECT * FROM users where id=? and name=?";
$stmt = $db->query($sql, array($id, $name)); 
$result = $stmt->fetchAll();

Do I need to quote here?

C) Which of the A or B is better for a general query?

+2  A: 

Regardless of the answer, I think it might be useful to write some tests so you can be certain it's doing what you want it to do. Set up a test database and create some unit tests with PHPUnit or whatever test framework you like.

Adam Sheehan
@adam: yes, I think that'd be ideal.
understack