0

I am using zend_db_select class as my sql wrapper. I would like to know if the following insert statement is secured. (whether it provide mechanism to prevent sql injection etc)

function createNew($message,$tags,$userid,$imgsrc){
    $data = array('message' => $message,
                      'tags' => $tags,
                      'imgsrc' => $imgsrc,
                      'createdtimestamp'=>new Zend_Db_Expr('NOW()'),
                      'userid' => $userid);   
    $this->dbo->insert('data', $data);
    return $this->dbo->lastInsertId();
}

I tried insert a row into the table with some quotes, and it didnt get escaped with \ , am i worrying too much or does phpmyadmin auto removed the \ for easy viewing? Confused. I read somewhere that zend_db_select caters for sql injection stuffs like that.

Advice appreciated. thanks

Improve this question

1 Answer 1

Reset to default
2

Yes, this is secure. Zend DB uses prepared statements, so each of the values of your array are automatically escaped using the appropriate mechanism.

If you view the contents of your database (e.g. with a tool like phpMyAdmin), you should never see escaped quotes in there, this is the point of escaping data. If you insert the string O'Reilly, that's what ends up in your DB.

Edit: Consider this query:

INSERT INTO users (name) VALUES ('John O'Reilly')

this won't work and will give you an SQL syntax error, because the SQL parser will see the second ' as the end of the column value, and will then choke when it sees the character following. So you escape need to escape that quote:

INSERT INTO users (name) VALUES ('John O\'Reilly')

The backslash tells it to treat the apostrophe following as a literal (i.e. don't treat it as the end of the column value). The backslash itself is never inserted into the database. This is an escape character, which is a common practice in computing.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

hi tim! thanks for the reply! do not undersntand why we should never see the escaped quotes, why is it the point? the point about escaping data is to see our string get \' in the db. e.g we entered O'Reilly, how do we know the string is escaped if it appears as O'Reilly in the db.. i am confused about this point.
I've edited my answer to include an example - hopefully that's clearer.
oic! i just realized... so sql injections can only potentially happens for select, delete and update statements with where clauses? it won't happen for inserts?
No, SQL injection can happen on any query that involves user input
hmm, so will sql injection happens in the above insert statement? how it protected?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.