ansaurus

Question

How can I escape complex sql in Zend Framework?

Answer 1

+1 A:

You can do the concatenation of $input at the SQL level:

$sql=$DB->quoteInto("SELECT * FROM t WHERE myname LIKE '%'|| ? ||'%'",$input);

Unfortunately this isn't usable when you want $input to be able to contain literal ‘%’ or ‘_’ characters. To get round this, specify an explicit LIKE-ESCAPE character and escape them yourself:

$inputlike= '%'.preg_replace('[%_=]', '=$0', $input).'%';
$sql=$DB->quoteInto("SELECT * FROM t WHERE myname LIKE ? ESCAPE '='", $inputlike);

(It can be any character, not necessarily '='. This also works around a bug where ESCAPE defaults to ‘\’ when not specified in MySQL.)

Unfortunately SQL Server also takes the ‘[’ character as special, to do a regexp-like character group. So if your DB is SQL Server you have to include ‘[’ in the group in preg_replace. Unfortunately it is not valid ANSL SQL to escape ‘[’ on other DBMSs where it doesn't need to be escaped.

bobince 2009-04-12 00:50:12

And string concatenation is a DBMS-dependent, so check your DBMS docs.

Milen A. Radev 2009-04-12 01:01:28

Hmm, yeah... + is SQL Server and || is ANSI/everyone else, IIRC. Gah, what a mess.

bobince 2009-04-12 01:26:24

A mess indeed. Will see what happens if I open a bug for that in the ZF project.

Itay Moav 2009-04-12 01:36:20

Answer 2

A:

you could just use the function that zf uses on the string which is addcslashes($value, "\000\n\r\'\"\032"); that would replace the string in the same way that zf uses or you could (in the case of mysql) use mysql_real_escape_string.

either way you wouldn't use one of the db quote functions

i do wonder if there's a method in the db class to do this but i don't know of one there should be though.

2009-04-12 01:41:14

Answer 3

+5 A:

The last option is works out well for me i've not experienced it escaping '%'. So $db->quote('%'.$_GET['query'].'%') outputs %queryvalue%

Akeem 2009-04-12 02:28:58

This is the best way :)

David Caunt 2009-04-12 23:40:35

FWIW, it outputs '%queryvalue%' including the single-quotes.

Bill Karwin 2009-08-05 22:16:27

Answer 4

A:

It is very simple:

$sql=$DB->quoteInto("SELECT *
                     FROM t
                     WHERE myname LIKE ?",'%' . $input . '%');

//Will output: SELECT FROM t WHERE myname LIKE '%inputtedvalue%'


$sql=$DB->quoteInto("SELECT *
                     FROM t
                     WHERE myname LIKE ?",'%' . $input);

//Will output: SELECT FROM t WHERE myname LIKE '%inputtedvalue'


$sql=$DB->quoteInto("SELECT *
                     FROM t
                     WHERE myname LIKE ?", $input . '%');

//Will output: SELECT FROM t WHERE myname LIKE 'inputtedvalue%'


$sql=$DB->quoteInto("SELECT *
                     FROM t
                     WHERE myname LIKE ?", $input);

//Will output: SELECT FROM t WHERE myname LIKE 'inputtedvalue'

What is the prolem?

:)

2009-06-25 04:30:09

Answer 5

+1 A:

The problem is, we'd like to escape LIKE special characters Manually replacing them would be a bit dirty, but if there's no solution...

Gruik 2010-01-28 09:10:21

ansaurus

tags:

views:

answers:

How can I escape complex sql in Zend Framework?

related questions