0

I was going to fetch a column from database given as a POST param, so I started to write a code:

$db->select()->from('table', array('field' => $PARAM))->query()->fetchAll();

Then I started to wonder if it is safe method to pass $PARAM to the query? I searched some web and documentation but didn't find unequivocal answer.
So I made some experimets, giving the $PARAM different values and watching output query. What I noticed was that ` characters were prepended by another ` characters, but \ or \n etc. remained unchanged.
My question is: Is it safe? Is it enough to escape only ` characters? Manual says, that those other characters should also be escaped.

Liberat0r
  • 1,852
  • 2
  • 16
  • 21
  • 1
    It uses [prepared statements with PDO](http://stackoverflow.com/a/60496/149998) rather than the deprecated `mysql_` functions. So yes, it's safe. – bcmcfc Jul 04 '14 at 10:17
  • Have you already looked at the [source code](https://github.com/zendframework/zf1)? – Gumbo Jul 04 '14 at 12:31

0 Answers0