Zend - Do I need to use quote() when inserting/updating?

Question

I'm developing an application that allows users to input into VARCHAR(255) fields in mySQL, so security is a major concern.

I am having trouble understanding quote(). If I use quote('test'), the data returns as '\'test\'' on SELECT, which is undesirable. How do I unquote this data?

If I bypass quote(), I can peek into phpmyadmin and see 'test', so it does not seem that Zend is escaping quotes for me automatically...

My code looks something like this:

    public function getDbTable() {
        if (null === $this->_dbTable) {
           $this->setDbTable(new Zend_Db_Table($this->_tableName));
        }
        return $this->_dbTable;
    }

    private function insert($anObject) {
        $row['cell1'] = $anObject->getCell1();
        $row['cell2'] = $anObject->getCell2();

         $this->getDbTable()->insert($row);
    }

Should I be using quote() around $anObject->getCell1(), etc. when inserting and updating?

Answer 1

No, Zend does it for you.

If I bypass quote(), I can peek into phpmyadmin and see 'test', so it does not seem that Zend is quoting for me automatically...

Hehe, if you see 'test' (with quotes) in PMA, that means that Zend have quoted your string successfully. If Zend did not quote() it - you would see an exeception about wrong query. ;-)

Answer 2

Zend_Db_Table_Abstract::insert uses Zend_Db_Adapter_Abstract::insert to perform insertion. Zend_Db uses prepared statement, so there is no risk for SQL injection when you use insert method. You don't have to quote your values before passing them to insert.