tags:

views:

317

answers:

1
+2  Q: 

Zend Db avoiding sql injections

Hi, I have the following code:

public function checkLoginDetails($email, $password) {
 $select = $this->select ();
 $select->where ( "password=?", md5($password) );
 $select->where ( "email=?", $email );
 return $this->fetchRow($select);

}

email and password come directly from the user. Do I need to filter email with, say, mysql_real_escape_string or does Zend DB do it for me?

Thank you!

+7  A: 

I was the main developer on Zend_Db, up to Zend Framework 1.0.

In the example you show, the values are interpolated into the query, with appropriate quotes and escaping applied. You don't have to do anything more.

Internally, it uses the quoting function built into the PHP extension for the Zend_Db_Adapter you're using. E.g. PDO::quote().

Bill Karwin  2009-12-09 19:15:34
I am using mysqli adapter instead of PDO. Does it make any difference?
Ilya Biryukov  2009-12-10 00:18:07
In that case it's using `mysqli::real_escape_string()`. Same effect.
Bill Karwin  2009-12-10 00:34:27

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP