ZendFramework

Protect sites from SQL-Injection

posted on 24 Aug 2011 16:14 by bomzaiya in ZendFramework
Every time, when we need to create a new SQL statement, we have to check or deny any incorrect values from request params, $_POST, $_GET, or any.  In Zend, it uses $this->oHttpRequest->getParams() for GET and 
$this->oHttpRequest->getPost() for POST accordingly.
 
The values from those are still in danger.  We need to protect before composing a new SQL statement.
We used $this->_db->quoteInto(' fieldname1 = ? AND fieldname2 = ?', array($param1, $param2));
This will be much safer.
 
 
 
Apisarn Sasuk