All geek questions in one place

Zend_Db Question ... updating incrementor

Should this work? (increase the number of logins?)

// update the login count
$data = array(
   'logins' => 'logins + 1'
);

$n = $db->update('users', $data, 'user_id = '.$_userId);
+3
source share
1 answer
$data = array(
   'logins' => new Zend_Db_Expr('logins + 1')
);

Also use quoting so that you are not vulnerable to SQL injection:

$n = $db->update('users', $data, $db->quoteInto('user_id = ?', $_userId));

Re comment: Yes, in the case of the update () method, it is assumed that you send a literal value if you do not use an object of type Zend_Db_Expr. You can check it yourself:

$db->getProfiler()->setEnabled(true);
$n = $db->update('users', $data, $db->quoteInto('user_id = ?', $_userId));
$qp = $db->getProfiler()->getLastQueryProfile();
echo $qp->getQuery() . "\n";

Any literal value that you give in your array $datais parameterized, so the query ends as follows:

UPDATE `users` SET `login` = ? WHERE user_id = 123

If you use an object of the Zend_Db_Expr class, it knows to literally interpolate the string into the query, instead of parameterization:

UPDATE `users` SET `login` = NOW() WHERE user_id = 123

, , .

+4

Source: https://habr.com/ru/post/1708445/

More articles:


All Articles