Zend_Framework and security

Report · Jul 08, 2011

In Dave Power's fantastic introductory book, ADOBE Dreamweaver, Training From the Source, I got a great intro using the Zend Framework to access my database. One issue that I'm now beginning to think about is Security and SQL injection. I've heard that using Zend eliminates the risk of sql injection, but it would be great to have a better understanding as to why it's not an issue using the Zend Framework. A typical query that I use in my site might look like:

$dbRead = new Zend_Db_Adapter_Pdo_Mysql($read);

$sql = "SELECT *

FROM questions

WHERE author_id = $user_id OR

public_access = 'Yes'";

return $read->fetchAll($sql);

where my $read has my database info.

Thanks!

-Eric

Report · Jul 08, 2011

kreut wrote:
One issue that I'm now beginning to think about is Security and SQL injection. I've heard that using Zend eliminates the risk of sql injection, but it would be great to have a better understanding as to why it's not an issue using the Zend Framework.

Glad you like the book, but I'm afraid you have an incorrect understanding of the Zend Framework and SQL injection. You still need to guard against SQL injection, as explained on pages 244-245.

When using a variable in a SELECT query, you need to use the quoteInto() method.

Your query should look like this:

$sql = $dbRead->quoteInto("SELECT *
 FROM questions
 WHERE author_id = ? OR
 public_access = 'Yes'", $user_id);

This sanitizes $user_id before inserting it into the query in place of the question mark.

Report · Jul 08, 2011

Thanks so much for the response!

-Eric