10

im doing some queries in Zend Framework and i need to make sure no SQL injection is possible in the next kind of formats. I can use mysql_escape(deprecated) and wont do all the work. If i try to use real_mysql_escape it wont be able to grab the conection with the database and i cant find how zend_filter would solve the problem.

The query im doing (simplied) have the next sintaxes:

    $db = Zend_Registry::get('db'); 
    $select = "SELECT COUNT(*) AS num
                FROM message m
                WHERE m.message LIKE '".$username." %'";
    $row = $db->fetchRow($select);

What is the best way to prevent SQL INJECTION with this framework?

Improve this question

3 Answers 3

Reset to default
19

Easy: 

$db->quote($username);

So:

   $username = $db->quote($username . '%');
   $select = 'SELECT COUNT(*) AS num
                                FROM message m
                                WHERE m.message LIKE ' . $username;
   $row = $db->fetchRow($select);
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

when I use $db->quote on a string that I am inserting, it puts quotes into the string even in the database field. Do I have to trim it after i quote it, or am I using it incorrectly?
14 
$sql = 'SELECT * FROM messages WHERE username LIKE ?';
$row = $db->fetchRow($sql, $username);

Reference: http://framework.zend.com/manual/en/zend.db.html

Improve this answer

1 Comment

The % is missing in this example, could it work suffixing $username with '%'?
1

When working with a model you can use:

$bugs = new Bugs();
$row = $bugs->fetchRow($bugs->select()->where('bug_id = ?', 1));
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.