Is the Zend_Db_Table_Abstract->insert() function safe?
I am using the insert() function from Zend_Db_Table_Abstract.
The data being inserted is user input, so naturally I am curious if ZF does the data cleansing for me, or if I should d开发者_开发百科o it myself before I call the insert() function.
When you need to use quoting (quote()
, quoteInto()
) with Zend_Db_Table
:
insert
(no)update
(yes)delete
(yes)- querying with SQL using the adapter directly (yes).
Use quotes with Zend_Db_Table_Select
(usually not); make sure you examine the output of the query.
Here's a great answer from one of the authors of Zend_Db (avoiding MySQL injections with the Zend_Db class).
The Zend_Db insertion method sanitizes the parameters sent.
精彩评论