Zend\db\sql - prepareStatementForSqlObject - sql injection?

For programming and general questions on Zend Framework

Zend\db\sql - prepareStatementForSqlObject - sql injection?

Postby mich5791 on Tue May 02, 2017 10:39 pm

I'm using zf 2.4 and for this example in Zend\db\sql. Do I need to worry about sql injection or do I still need to do quote() or escape anything if I already use prepareStatementForSqlObject()? The below example will do the blind variable already?

use Zend\Db\Sql\Sql;
$sql = new Sql($adapter);
$select = $sql->select();
$select->where(array('id' => $id));

$statement = $sql->prepareStatementForSqlObject($select);
$results = $statement->execute();
Posts: 1
Joined: Tue May 02, 2017 10:36 pm

Re: Zend\db\sql - prepareStatementForSqlObject - sql injecti

Postby mehm8471 on Tue May 30, 2017 4:54 pm

You are safe with "select()" and using "where()" with it, in fact your are mostly safe unless you build the SQL string yourself.

Good reading: \Zend\Db\Sql - Build SQL Where Clauses Easily and Efficiently by Matthew Setter.
Posts: 23
Joined: Sat Jun 21, 2014 11:39 pm

Return to Zend Framework

Who is online

Users browsing this forum: Google [Bot] and 1 guest