I am using the insert() function from Zend_Db_Table_Abstract.
The data being inserted is user input, so naturally I am curious if ZF does the data cleansing for me, or if I should do it myself before I call the insert() function.
Not entirely true. _Table->update() ... "Note: The values and identifiers in the SQL expression are not quoted for you. If you have values or identifiers that require quoting, you are responsible for doing this. Use the quote(), quoteInto(), and quoteIdentifier() methods of the database adapter."
Typeoneerror
2010-05-24 16:31:59
Sweet, thanks for the info (updating). Incidentally, you don't have to encode SQL in the update function with Zend_Db_Expr() `(e.g. new Zend_Db_Expr('CURDATE()') )`
Dan Heberden
2010-05-24 16:33:42
+1
A:
Use quoting (quote(), quoteInto()) with Zend_Db_Table: insert (no), update (yes), delete (yes), querying with SQL using the adapter directly (yes). Use quotes with Zend_Db_Table_Select (usually not); make sure you examine the output of the query.
Here's a great answer from one of the authors of Zend_Db (http://stackoverflow.com/questions/975009/avoiding-mysql-injections-with-the-zend-db-class/985316#985316).
Typeoneerror
2010-05-24 16:36:57