2

I was wondering if something like this, is safe in Zend: 

$db = Zend_Registry::get('db');
$query = "SELECT * FROM tags t JOIN posts_tags pt ON pt.tag_id = t.tag_id where pt.post_id = " . $postid;
$select = $db->query();

I'm not checking the content of $postid is here.

Zend does this automatically when you make queries like this:

$db = Zend_Registry::get('db');
$select = $db->select();
$select->from(array('p' => 'posts'))
    ->join(array('u' => 'users'), 'u.user_id = p.post_userid')
    ->where('p.post_id = ?', $postid);

But I don't like this way of working, just writing queries is much faster for me. So should I be manually escaping or is this done for me? And what are the easiest ways to do this?

Improve this question

2 Answers 2

Reset to default
3

If you don't want to use Zend_Db_Select you can do:

$select = $db->query("SELECT * FROM tags t JOIN posts_tags pt ON pt.tag_id = t.tag_id where pt.post_id = ?", array($postid));

Where the 2nd param is an array of values to be dropped into the placeholders. See: http://framework.zend.com/manual/en/zend.db.statement.html

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Zend cannot be escaping your variable because it never sees it. Your variable is being appended to a string, and the $db->query method gets to see the string as a whole.

I don't think that the query() method does any sanitization anyway.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.