tags:

views:

337

answers:

2
Q: 

Increment values using Zend_DB_Table Raw SQL

I have a website where a user can upload images for a real estate property.
The table structure:

image_id
property_id
userid
filename
thumbfilename
display_order
timestamp

The scenario: When a user uploads multiple pictures, he / she SHOULD be able to set the primary photo from their uploaded images for the specified property.

The code:

$sql = 'UPDATE property_images SET display_order = display_order + 1 WHERE property_id = "' . $this->_request->getParam('propertyid') . '"';
$images->getAdapter()->fetchAll($sql);
$images->update(array("display_order" => 1), 'image_id = "' . $this->_request->getParam('imageid') . '"');

The issue: I receive a "general error" when calling $images->getAdapter()->fetchAll(); The SQL is however executed successfully but Zend_DB_Table throws an exception and will not proceed to the next command. Any ideas / suggestions would be appreciated.

A: 

1) First, recognize that you need to fix your code so that you're escaping the user input. You are currently very vulnerable to SQL Injection.

2) Why are you passing an UPDATE query to fetchAll()?

3) Look at Zend_Db_Expr

timdev  2009-09-13 18:18:53
I am not vulnerable to SQL injection as this is done using values grabbed from the script itself before the user gets the information. They do not get to pass anything other than the property id and image id. I do a check to verify that the loged in user is the owner of the property and image as well. Thanks anywa though.
Dennis Day  2009-09-13 18:35:40
Fair enough. I'd still escape things explicitly, in case that external logic ever changes. Code has a tendency to get reused, and you're relying on authorization code to fail in order to ensure that bad params never make it to the database.
timdev  2009-09-13 19:15:36
A: 

Nevermind,

The solution:

$sql = 'UPDATE property_images SET display_order = display_order + 1 WHERE property_id = "1004" AND display_order < 3; $images->getAdapter()->query($sql); $images->update(array("display_order" => 1), 'image_id = "2003"');

This will grab the third image and set it to 1 after setting the images that had display order of 1 and 2 to 2 and three respectively.

Dennis Day  2009-09-13 18:33:02

related questions

Why do my exception stack traces always point to the last method line?
Exception analysis tool for C++
When to choose checked and unchecked exceptions
What is the general rule of thumbs for creating an Exception in Java?
Exception handling: Contract vs Exceptional approach
Configure a Java Socket to fail-fast on disconnect?
Is it really that bad to catch a general exception?
How Do You Communicate Service Layer Messages/Errors to Higher Layers Using MVP?
Do you write exceptions for specific issues or general exceptions?
How do I log uncaught exceptions in PHP?
Prevent WebBrowser control from swallowing exceptions
A ThreadStateException occures when trying to restart a thread
C# - CryptographicException: Padding is invalid and cannot be removed
How to trace COM objects exceptions?
Catching unhandled exceptions in ASP.NET UserControls
Final managed exception handler in a mixed native/managed executable?
With Lucene: Why do I get a Too Many Clauses error if I do a prefix search?
I can't get my debugger to stop breaking on first-chance exceptions
Performance Considerations for throwing Exceptions
Why can't I use a try block around my super() call?
IllegalArgumentException or NullPointerException for a null parameter?
Reducing duplicate error handling code in C#?
Exceptions in C++
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Unhandled Exception Handler in .NET 1.1