Zend - Do I need to use quote () when inserting / updating?

Question

Zend - Do I need to use quote () when inserting / updating?

I am developing an application that allows users to enter VARCHAR (255) fields in mySQL, so security is a serious concern.

I'm having trouble understanding quote (). If I use quote ('test'), the data is returned as '\' test \ '' on SELECT, which is undesirable. How to disable this data?

If I get around quote (), I can look into phpmyadmin and see "test", so Zend doesn't seem to speed up quotes automatically ...

My code looks something like this:

    public function getDbTable () {
        if (null === $ this -> _ dbTable) {
           $ this-> setDbTable (new Zend_Db_Table ($ this -> _ tableName));
        }
        return $ this -> _ dbTable;
    }

    private function insert ($ anObject) {
        $ row ['cell1'] = $ anObject-> getCell1 ();
        $ row ['cell2'] = $ anObject-> getCell2 ();

         $ this-> getDbTable () -> insert ($ row);
    }

Should I use quote () around $ anObject-> getCell1 () etc. when inserting and updating?

+3

security mysql sql-injection zend-framework

Erik Oct 13 '10 at 23:38

source share

2 answers

zerkms · Answer 1 · 2010-10-13T23:40:06+0000

No, Zend does it for you.

If I get around the quote (), I can look into phpmyadmin and see the “test”, so it doesn't seem like Zend will quote me automatically ...

If you see the “test” (with quotes) in the PMA, it means that Zend is successfully quoting your string. If Zend did not specify () this - you would see an exception due to an incorrect request .; -)

Maxence · Answer 2 · 2010-10-14T14:25:57+0000

Zend_Db_Table_Abstract:: insert Zend_Db_Adapter_Abstract:: insert . Zend_Db , SQL- insert. , .

Zend - Do I need to use quote () when inserting / updating?

More articles: