After using quoteInto Am I safe from SQL injection?

Question

Hello I am using quoteInto in my query like below

 $select->from('users')
 ->where($adapter->quoteInto('eu.username LIKE ?',"%".$param['name']."%"));

When I pass any thing like 'or -1=-1' or any think like

 ' or 1=1--
 ' or 1--
 ' or 1
 \" or '1'
 ' or 1=1--
 ' OR ''='
 ' or 'a'='a
  ') or ('a'='a
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
 ';

When I echo my query, all this stuff is put in LIKE clause of my query. I just want to ask that after quoting my query is safe from sql injection?

Answer 1

Yes, you are safe from SQL injections by using the db adapter quote functions.

When you use quoteInto Zend will call Zend_Db_Adapter::quote method to escape the value string.

From Zend Docs:
The quote() method accepts a single argument, a scalar string value. It returns the value with special characters escaped in a manner appropriate for the RDBMS you are using, and surrounded by string value delimiters.

To make your application safer you should also use Zend_Form with elements utilizing available Zend Filters and Zend Validators. Validation of elements will catch the problem and avoid junk database calls and filters will sanitize your data!