Zend\db\sql - prepareStatementForSqlObject - sql injection?

For programming and general questions on Zend Framework

Zend\db\sql - prepareStatementForSqlObject - sql injection?

Postby mich5791 on Tue May 02, 2017 10:39 pm

I'm using zf 2.4 and for this example in Zend\db\sql. Do I need to worry about sql injection or do I still need to do quote() or escape anything if I already use prepareStatementForSqlObject()? The below example will do the blind variable already?

use Zend\Db\Sql\Sql;
$sql = new Sql($adapter);
$select = $sql->select();
$select->from('foo');
$select->where(array('id' => $id));

$statement = $sql->prepareStatementForSqlObject($select);
$results = $statement->execute();
mich5791
 
Posts: 1
Joined: Tue May 02, 2017 10:36 pm

Re: Zend\db\sql - prepareStatementForSqlObject - sql injecti

Postby mehm8471 on Tue May 30, 2017 4:54 pm

You are safe with "select()" and using "where()" with it, in fact your are mostly safe unless you build the SQL string yourself.

Good reading: \Zend\Db\Sql - Build SQL Where Clauses Easily and Efficiently by Matthew Setter.
Suat
smozgur.com
mehm8471
 
Posts: 23
Joined: Sat Jun 21, 2014 11:39 pm


Return to Zend Framework

Who is online

Users browsing this forum: No registered users and 2 guests

cron