rockstardev
Reputation: 13527
Sanitize input for SQL using Zend Framework?
I'm aware of Quote and QuoteInto. Neither of which can help me with the following. I need to sanitize the input for the following SQL:
select * from log where message like '%bla%'
QuoteInto and Quote will add quotes that won't work with the % (wildcards). How do I sanitize this input so I end up with a "safe" SQL statement as above?
Upvotes: 0
Views: 891
Answers (1)
jcsanyi
Reputation: 8174
Append the % characters directly to your variable, and quote the entire value.
That would look something like this:
$value = 'bla';
$db->quoteInto("SELECT * FROM log WHERE message LIKE ?", "%{$value}%");
As compared to this, which gives you the bad results you described:
$value = 'bla';
$db->quoteInto("SELECT * FROM log WHERE message LIKE '%?%'", $value);
Upvotes: 3
Related Questions
- Preventing SQL injections with PHP and Zend Framework - how?
- Sanitize INSERT SELECT sql using Zend Framework
- ZF2 sanitize variables for DB queries
- Zend sql injection prevention
- Zend Framework SQL Injection protection
- How to sanitize data in php in order to avoid SQL injection?
- Zend secure sql queries?
- Prevent Sql injection in ZF
- Zend Db avoiding sql injections
- Sanitize user input destined for database in PHP