0

i have a sql query in Zend Framework 2. It works great, but i forgot to escape my $sessionId, just to protect my variable so that nobody can inject my SQL query. Here is my sql Query:

    SELECT parent.category_name, parent.category_id ,COUNT(product.product_id) AS count, 
    (select count(*) from Categories parent2 
    where parent.category_left > parent2.category_left
    and parent.category_right < parent2.category_right) as level
    FROM Categories parent
    LEFT OUTER JOIN Categories node 
    ON node.category_left BETWEEN parent.category_left AND parent.category_right
    LEFT OUTER JOIN products product
    ON node.category_id = product.product_category_id
    WHERE product.product_shop_id = '.$sessionId.'
    GROUP BY parent.category_name
    ORDER by node.category_left;

I've could wrote it in a Zend $select object, with this Zend would have escaped it by himself. Is there any way to escpae this variable by using this sql query? (I tried also mysql_real_escape_string(), but i've read this function is to old to use it.

Greetings =)

edigu
  • 9,878
  • 5
  • 57
  • 80
Don Kanallie
  • 11
  • 1
  • 1
  • possible duplicate of [Best way to prevent SQL Injection in PHP](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) – akond Aug 21 '12 at 08:52

1 Answers1

0

Tons of methods to do this.. Check out this question: How can I prevent SQL injection in PHP?

It discusses at least 4-5 different methods with their benefits for escaping general queries in PHP.

Just to be clear, methods here aren't specific to Zend Framework.. but mysql_real_escape_string isn't specific either :)

Also, unless you want to use PDO (which is what most people recommend), I don't see any issues with mysql_real_escape_string. I don't think it's too old to use as in dangerous - there are just more modern ways to achieve the same thing.

Community
  • 1
  • 1
talkol
  • 12,564
  • 11
  • 54
  • 64