All geek questions in one place

How to quote column names using Zend_Db?

I use key as the column name in the MySQL table.

Since this is reserved, it must be properly shielded for use in the query:

 โ€ฆ WHERE `key` = 'test'

Manually, this is not a problem, but I use the Zend Framework and I want it to handle the escape correctly, for example:

 $table = new Application_Model_ATable(); $table->fetchRow ( $table->select()->where('key = ?','test') );

So the question is:

How to specify / remove column names using Zend_Db_Table?

+6
source share
3 answers

avoid MySQL injections with Zend_Db class

The guy actually explains it, but it's bad to just quickly pull out a quote ...

Any other part of this expression that should be indicated or limited to your responsibility. For example, if you interpolate any PHP variables in the expression, security is your responsibility. If you have a column of names that are SQL keywords, you need to distinguish between quoteIdentifier (). Example:

 $select->where($db->quoteIdentifier('order').'=?', $myVariable)

Hope this helps!

+4
source

try something like:

 $table = new Application_Model_ATable(); $where = $table->getAdapter()->quoteInto('key = ?', 'test'); $table->fetchRow ( $where );

* - excerpt from the Zend_Db_Table link - *
Note. The values โ€‹โ€‹and identifiers in the SQL expression are not quoted for you. If you have values โ€‹โ€‹or identifiers that require quoting, you are responsible for doing so. Use the quote (), quoteInto (), and quoteIdentifier () methods of the database adapter.

+1
source

Column names must be specified when using capital letters. It is useful to specify these names with $ db-> quoteIdentifier ($ columnName) when you plan to switch the data adapter in the future.

+1
source

Source: https://habr.com/ru/post/907095/

More articles:


All Articles