Slay
Reputation: 1283
Is my function safe from SQL Injection?
function update_page($page_id, $page_title, $page_content, $seo_title, $seo_keywords, $seo_desc) {
$pagedata = array('page_title' => $page_title,
'page_content' => $page_content,
'seo_title' => $seo_title,
'seo_keywords' => $seo_keywords,
'seo_desc' => $seo_desc);
$this-> dbo -> update('zp_mobile_page', $pagedata, 'page_id = '.$page_id);
$return_message = "Page Updated!";
return $return_message;
}
Hi, i am using Zend DB, i read this forum about Zend, but i still do not get whether zend's update insert select are safe from sql injection or do i need to sanitize them again.
Can anyone guide me in layman terms?
Upvotes: 2
Views: 722
Answers (1)
drew010
Reputation: 69937
See @Nemanja's comment, but no that isn't really safe from injection unless you are escaping $page_id manually somewhere else.
You need to use quoteInto in order to secure the data:
$this->dbo->update('zp_mobile_page',
$pagedata,
$this->dbo
->getAdapter()
->quoteInto('page_id = ?', $page_id));
You can also escape a single value using Zend_Db_Adapter::quote().
Upvotes: 1
Related Questions
- Would this be a good anti sql injection function?
- Is this function vulnerable to SQL injection?
- Is my PHP Code Secure
- Avoiding SQL injection in PHP function
- Is this PDO function safe from sql injection
- Zend sql injection prevention
- Zend Framework SQL Injection protection
- Does this PHP function protect against SQL injection?
- Prevent Sql injection in ZF
- Zend Db avoiding sql injections