Zend Framework Zend_Db - When to Quote and When Not to Quote User Input

If you search the source code of the Zend Framework (version 1.0.0) for the string “get_magic_quotes_gpc” you will discover that it does not appear. This indicates that the framework does not do anything fancy to decide whether or not to quote user input before it is inserted into a database.

This implies that Zend assumes that get_magic_quotes_gpc is turned off.

In certain situations you should use some of the functions provided by the Zend_Db Adapter class to quote untrustworthy data before it is used in Zend_Db queries ( quote(), quoteInto() and quoteIdentifier() ). Using methods of the Zend_Db Adapter class enables the correct quoting to occur for the particular brand of database that is specified by the adapter.

In other situations, however, it is NOT necessary to do any quoting.

(I got a bit confused about this whole thing whilst following Rob Allen’s tutorial on Getting started with Zend).

So the question is: When do I quote and when do I not quote?

Because it is so important to get this right - I have decided to build a cheat sheet, below, to help me as I code.

Feel free to add to the list using the comments form below.
PLEASE SHOUT AT ME IF YOU SPOT ANY MISTAKES!

The “Zend When-to-Quote Cheatsheet”

———————

fetchAll() method of the adapter

I’m not sure about this one, need to do an experiment.

———————

fetchAssoc() method of the adapter

I’m not sure about this one, need to do an experiment.

———————

insert() method of an adaptor

The first argument is a string that names the table, and the second argument is an associative array, mapping column names to data values. By default, the values in your data array are inserted using parameters. This reduces risk of some types of security issues. You do not need to apply escaping or quoting to values in the data array.

————————-

update() method of an adapter

This method takes three arguments:
the first is the name of the table;
the second is an associative array mapping columns to change to new values to assign to these columns.

The third argument is a string containing an SQL expression that is used as criteria for the rows to change.
The values and identifiers in this 3rd argument are NOT quoted or escaped. You are responsible for ensuring that any dynamic content is interpolated into this string safely.

——————————

delete() method of an adapter

This method takes two arguments:
the first is a string naming the table.
The second argument is a string containing an SQL expression that is used as criteria for the rows to delete.
The values and identifiers in this 2nd argument are not quoted or escaped. You are responsible for ensuring that any dynamic content is interpolated into this string safely.

——————————

more to follow when i get the time…(i’m busy building my first web app with Zend!)

3 Responses to “Zend Framework Zend_Db - When to Quote and When Not to Quote User Input”

  1. infoseeker Says:

    Here is an answer from the horse’s mouth:

    http://stackoverflow.com/questions/975009/avoiding-mysql-injections-with-the-zend-db-class/985316#985316

  2. Cristian Says:

    Whe you make a select try to not do thinks like this:
    $this->db->updatet(’table’,array(’row1′ => ‘data1′,’row2′=>’data2′),’id = ‘.$id);

    use quoteInto. Ex:

    $this->db->updatet(’table’,array(’row1′ => ‘data1′,’row2′=>’data2′),$this->db->quoteInto(’id = ‘, $id));

  3. sonam Says:

    In Zend there are inbuilt $this->db->quoteInto() function, this function are used to remove
    The following characters(i.e. magical characters):

    \x00 �
    \n
    \r
    \


    \x1a =

    if you want to insert the form input in to database ,then you must use the “quote”, because it act as a sql anti injection, it prevent your site from hacking…..
    One of the best example is your login form:

    in login from there are query like:

    select * from user_info where username=”sonam” and password=”sonam”;

    so,

    in the login page : if the user wrote:

    username: “sonam=1 or 1=1
    then the you can loged in with out password,

    so use $this->db->quoteInto() function similar to as my brother Cristian Says

Leave a Reply