Zend_Framework and security

Question

In Dave Power's fantastic introductory book, ADOBE Dreamweaver, Training From the Source, I got a great intro using the Zend Framework to access my database. One issue that I'm now beginning to think about is Security and SQL injection. I've heard that using Zend eliminates the risk of sql injection, but it would be great to have a better understanding as to why it's not an issue using the Zend Framework. A typical query that I use in my site might look like:

$dbRead = new Zend_Db_Adapter_Pdo_Mysql($read);

$sql = "SELECT *

FROM questions

WHERE author_id = $user_id OR

public_access = 'Yes'";

return $read->fetchAll($sql);

where my $read has my database info.

Thanks!

-Eric

David_Powers · Answer

kreut wrote:One issue that I'm now beginning to think about is Security and SQL injection. I've heard that using Zend eliminates the risk of sql injection, but it would be great to have a better understanding as to why it's not an issue using the Zend Framework.Glad you like the book, but I'm afraid you have an incorrect understanding of the Zend Framework and SQL injection. You still need to guard against SQL injection, as explained on pages 244-245.When using a variable in a SELECT query, you need to use the quoteInto() method.Your query should look like this:$sql = $dbRead->quoteInto("SELECT * FROM questions WHERE author_id = ? OR public_access = 'Yes'", $user_id);This sanitizes $user_id before inserting it into the query in place of the question mark.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded