When using the Zend_Db_Table_Abstract Save function, to update a database, do I need to worry about SQL injection (quote my parameters) or is it done automatically?
How can I see how the query looks?
Asked
Active
Viewed 170 times
0
Your Common Sense
- 156,878
- 40
- 214
- 345
leowald
- 1
1 Answers
0
No, you don't have to worry about SQL injection when using save().
Behind the scenes, Zend Framework uses Zend_Db_Adapter_Abstract::insert() and Zend_Db_Adapter_Abstract::update(), which use bind parameters. All values will be escaped by the framework to prevent SQL injection.
The only risk of SQL injection is when using Zend_Db_Expr to create custom / advanced queries, but this cannot happen when using save().
You may want to have a look on Zend_Db_Profiler to list all queries generated by the framework.
Alternatively, you can also enable your database query logs. See How to enable MySQL Query Log? for MySQL, or How to log PostgreSQL queries? for Postgres.
Community
- 1
- 1
Mickaël Marchal
- 16
- 3