开发者

Zend db - When should I quote to avoid sql injection?

问答 作者:

I am confused about when the framework automatically quotes and when it does not quote variables. For example, as far as I can tell, it does not quote on the where clause (unless you use an extra parameter?).

Is there a guide/cheat-sheet that references when we must manuall开发者_运维知识库y quote in basic CRUD operations?

Thank you.

For me, the basic "rule of thumb" is the following:

  • If you need to insert the value into a string, like that: "SELECT * from TABLE WHERE value=$value" you must quote it first.
  • If you are using a placeholder, e.g. $select->where('value = ?', $value');, or an array of values such as array('value' => $value), the framework will quote the value for you.

Hope it helps,

Never build the query string yourself, always let Zend_Db do it for you. I.e., don't specify your where clauses (and the like) by building the string yourself:

$where = 'id = ' . $_REQUEST['id'] . ' and thing = ' . $_REQUEST['thing'];
$select->where($where);

Instead do this:

$select
    ->where('id = ?', $_REQUEST['id'])
    ->where('thing = ?', $_REQUEST['thing']);

继续阅读:phpzend-framework

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9