Zend Db avoiding sql injections
https://stackoverflow.com/questions/1876076
-
18-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have the following code:
public function checkLoginDetails($email, $password) {
$select = $this->select ();
$select->where ( "password=?", md5($password) );
$select->where ( "email=?", $email );
return $this->fetchRow($select);
}
email and password come directly from the user. Do I need to filter email with, say, mysql_real_escape_string or does Zend DB do it for me?
Thank you!
Solution
I was the main developer on Zend_Db, up to Zend Framework 1.0.
In the example you show, the values are interpolated into the query, with appropriate quotes and escaping applied. You don't have to do anything more.
Internally, it uses the quoting function built into the PHP extension for the Zend_Db_Adapter you're using. E.g. PDO::quote().
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
