I use following code
$this->getDb()->fetchRow($sql, $params);
Is it free from sql injection? Please guide me. How i can make it free from sql injection.
+3
A:
use Zend_Db class, for Escaping
used the validator of the Zend_Form in order to filter the input values.
3.Uses Prepared Statements internally as much as possible like :
// Build this query:
// SELECT product_id, product_name, price
// FROM "products"
// WHERE (price < 100.00 OR price > 500.00)
// AND (product_name = 'Apple')
$minimumPrice = 100;
$maximumPrice = 500;
$prod = 'Apple';
$select = $db->select()
->from('products',
array('product_id', 'product_name', 'price'))
->where("price < $minimumPrice OR price > $maximumPrice")
->where('product_name = ?', $prod);
read more in this link :
Haim Evgi
2010-10-20 07:21:58
zend form validators and filters are good first line of defense for sql injection.
Hanseh
2010-10-20 11:35:13
Meanwhile you did not use placeholders for prices variables and did not give any hint how to escape them in this particular case.
zerkms
2010-10-22 00:03:17