Comments on: Zend Framework Zend_Db - When to Quote and When Not to Quote User Input http://www.eatmybusiness.com/food/2007/08/05/zend-framework-zend_db-when-to-quote-and-when-not-to-quote-user-input/34/ Web Publishing Techniques Tue, 07 Feb 2012 21:10:24 +0000 http://wordpress.org/?v=2.1.3 By: infoseeker http://www.eatmybusiness.com/food/2007/08/05/zend-framework-zend_db-when-to-quote-and-when-not-to-quote-user-input/34/#comment-17988 infoseeker Fri, 23 Apr 2010 02:28:47 +0000 http://www.eatmybusiness.com/food/2007/08/05/zend-framework-zend_db-when-to-quote-and-when-not-to-quote-user-input/34/#comment-17988 Here is an answer from the horse's mouth: http://stackoverflow.com/questions/975009/avoiding-mysql-injections-with-the-zend-db-class/985316#985316 Here is an answer from the horse’s mouth:

http://stackoverflow.com/questions/975009/avoiding-mysql-injections-with-the-zend-db-class/985316#985316

]]> By: Cristian http://www.eatmybusiness.com/food/2007/08/05/zend-framework-zend_db-when-to-quote-and-when-not-to-quote-user-input/34/#comment-18777 Cristian Tue, 07 Dec 2010 12:58:00 +0000 http://www.eatmybusiness.com/food/2007/08/05/zend-framework-zend_db-when-to-quote-and-when-not-to-quote-user-input/34/#comment-18777 Whe you make a select try to not do thinks like this: $this->db->updatet('table',array('row1' => 'data1','row2'=>'data2'),'id = '.$id); use quoteInto. Ex: $this->db->updatet('table',array('row1' => 'data1','row2'=>'data2'),$this->db->quoteInto('id = ', $id)); Whe you make a select try to not do thinks like this:
$this->db->updatet(’table’,array(’row1′ => ‘data1′,’row2′=>’data2′),’id = ‘.$id);

use quoteInto. Ex:

$this->db->updatet(’table’,array(’row1′ => ‘data1′,’row2′=>’data2′),$this->db->quoteInto(’id = ‘, $id));

]]> By: sonam http://www.eatmybusiness.com/food/2007/08/05/zend-framework-zend_db-when-to-quote-and-when-not-to-quote-user-input/34/#comment-19477 sonam Sat, 05 Nov 2011 09:20:16 +0000 http://www.eatmybusiness.com/food/2007/08/05/zend-framework-zend_db-when-to-quote-and-when-not-to-quote-user-input/34/#comment-19477 In Zend there are inbuilt $this->db->quoteInto() function, this function are used to remove The following characters(i.e. magical characters): \x00 � \n \r \ ' " \x1a = if you want to insert the form input in to database ,then you must use the "quote", because it act as a sql anti injection, it prevent your site from hacking..... One of the best example is your login form: in login from there are query like: select * from user_info where username="sonam" and password="sonam"; so, in the login page : if the user wrote: username: "sonam=1 or 1=1 then the you can loged in with out password, so use $this->db->quoteInto() function similar to as my brother Cristian Says In Zend there are inbuilt $this->db->quoteInto() function, this function are used to remove
The following characters(i.e. magical characters):

\x00 �
\n
\r
\


\x1a =

if you want to insert the form input in to database ,then you must use the “quote”, because it act as a sql anti injection, it prevent your site from hacking…..
One of the best example is your login form:

in login from there are query like:

select * from user_info where username=”sonam” and password=”sonam”;

so,

in the login page : if the user wrote:

username: “sonam=1 or 1=1
then the you can loged in with out password,

so use $this->db->quoteInto() function similar to as my brother Cristian Says

]]>