ZEND_DB_TABLE_ABSTRACT methods SQL INJECTION

Question

Is it possible for to sql inject a ZEND_DB_TABLE_ABSTRACT method?

like for example

 $this->insert();

edit for a more clearer explanation

Post values are :

'username' = 'admin';

'password' = '1;Drop table users;'

Here is the insert statement in the controller:

public function InsertAction() {
    $postValues =   $this->_request->getPost();
    $usersTable = new Application_Models_DbTable_Users();
    $username = $postValues['username'];
    $password = $postValues['password'];
    $data = array('username'=>$username,'password'=>$password);
    $users->insert($data);
}

can you be little more clear with your code and explanation? — Sam Arul Raj T, Feb 21 '12 at 06:02
if you create your own model class that "extends Zend_Db_Table_Abstract" , you can add any methods you want — max4ever, Feb 21 '12 at 08:44

score 2 · Accepted Answer · edited May 23 '17 at 11:56

2

Yes, it is possible, but in the usual uses of insert() it's not probable. Unless you are using Zend_Db_Expr, you should be safe, because insert() uses prepared statements.

See this post from Bill Karwin for other methods and details.

edited May 23 '17 at 11:56

Community

1
1

answered Feb 21 '12 at 10:19

bububaba

2,840
6
25
29

score 0 · Answer 2 · answered Feb 21 '12 at 09:53

0

Check the manual of Zend Zend_Db_Table

It will show you who you can create your own method.

answered Feb 21 '12 at 09:53

David

1,679
11
22

ZEND_DB_TABLE_ABSTRACT methods SQL INJECTION

2 Answers2