1

How to do I sanitize this sql using Zend Framework, so that I can prevent sql injection attack?

"INSERT INTO table(A, B, C)
 SELECT MAX(A)+1, '".$params['B']."', '".$params['C']."' FROM table
 WHERE B='".$params['B']."' AND C='".$params['C']."'"

$params['B'] and $params['C'] are user inputs.

Improve this question

1 Answer 1

Reset to default
1

Use QuoteInto method to sanitize it.

http://framework.zend.com/manual/1.12/en/zend.db.adapter.html#zend.db.adapter.quoting.quote-into

To sanitize multiple arguments, 

$stmt = $this->_db->prepare( 'SELECT * FROM ' . $this->_name . ' WHERE (a = ? AND b = ?) OR (c != ?)');
$stmt->execute(array($a, $b, $c));

http://blog.motane.lu/2009/05/21/zend_db-quoteinto-with-multiple-arguments/

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

What's the difference of using $this->_db->prepare($sql) instead of new Zend_Db_Statement_Pdo($this->_db, $sql)?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.