I'm developing an application that allows users to input into VARCHAR(255) fields in mySQL, so security is a major concern.
I am having trouble understanding quote(). If I use quote('test'), the data returns as '\'test\'' on SELECT, which is undesirable. How do I unquote this data?
If I bypass quote(), I can peek into phpmyadmin and see 'test', so it does not seem that Zend is escaping quotes for me automatically...
My code looks something like this:
public function getDbTable() {
if (null === $this->_dbTable) {
$this->setDbTable(new Zend_Db_Table($this->_tableName));
}
return $this->_dbTable;
}
private function insert($anObject) {
$row['cell1'] = $anObject->getCell1();
$row['cell2'] = $anObject->getCell2();
$this->getDbTable()->insert($row);
}
Should I be using quote() around $anObject->getCell1(), etc. when inserting and updating?