1

Is it possible for to sql inject a ZEND_DB_TABLE_ABSTRACT method?

like for example

 $this->insert();

edit for a more clearer explanation

Post values are :

'username' = 'admin';

'password' = '1;Drop table users;'

Here is the insert statement in the controller: 

public function InsertAction() {
    $postValues =   $this->_request->getPost();
    $usersTable = new Application_Models_DbTable_Users();
    $username = $postValues['username'];
    $password = $postValues['password'];
    $data = array('username'=>$username,'password'=>$password);
    $users->insert($data);
}
Improve this question
2
  • can you be little more clear with your code and explanation? Commented Feb 21, 2012 at 6:02
  • if you create your own model class that "extends Zend_Db_Table_Abstract" , you can add any methods you want Commented Feb 21, 2012 at 8:44

2 Answers 2

Reset to default
2

Yes, it is possible, but in the usual uses of insert() it's not probable. Unless you are using Zend_Db_Expr, you should be safe, because insert() uses prepared statements.

See this post from Bill Karwin for other methods and details.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Check the manual of Zend Zend_Db_Table

It will show you who you can create your own method.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.