2
    function update_page($page_id, $page_title, $page_content, $seo_title, $seo_keywords, $seo_desc) {

    $pagedata = array('page_title' => $page_title,
                      'page_content' => $page_content,
                      'seo_title' => $seo_title,
                      'seo_keywords' => $seo_keywords,
                      'seo_desc' => $seo_desc);             
    $this-> dbo -> update('zp_mobile_page', $pagedata, 'page_id = '.$page_id);
    $return_message = "Page Updated!";
    return $return_message;

}

Hi, i am using Zend DB, i read this forum about Zend, but i still do not get whether zend's update insert select are safe from sql injection or do i need to sanitize them again.

Can anyone guide me in layman terms?

Slay
  • 1,285
  • 4
  • 20
  • 44
  • Possible duplicate of http://stackoverflow.com/questions/975009/avoiding-mysql-injections-with-the-zend-db-class – Nemanja Jul 12 '12 at 15:30

1 Answers1

1

See @Nemanja's comment, but no that isn't really safe from injection unless you are escaping $page_id manually somewhere else.

You need to use quoteInto in order to secure the data:

 $this->dbo->update('zp_mobile_page',
                    $pagedata,
                    $this->dbo
                         ->getAdapter()
                         ->quoteInto('page_id = ?', $page_id));

You can also escape a single value using Zend_Db_Adapter::quote().

drew010
  • 68,777
  • 11
  • 134
  • 162
  • I would like to ask. Referencing here: http://www.eatmybusiness.com/food/2007/08/05/zend-framework-zend_db-when-to-quote-and-when-not-to-quote-user-input/34/ – Slay Jul 12 '12 at 17:05
  • It is correct that for update, delete, i would need to escape it. for select and insert, its safe? – Slay Jul 12 '12 at 17:06
  • You *do* need to escape the conditional (WHERE) clauses in UPDATE, DELETE, and SELECT statements. The actual data given to the `insert()` and `update()` methods are escaped for you. If you use `fetchAll()` and need to pass a custom WHERE clause that contains user input, you must escape that as well. – drew010 Jul 12 '12 at 17:20