Reputation: 18016
After using quoteInto Am I safe from SQL injection?
Hello I am using quoteInto in my query like below
$select->from('users')
->where($adapter->quoteInto('eu.username LIKE ?',"%".$param['name']."%"));
When I pass any thing like 'or -1=-1' or any think like
' or 1=1--
' or 1--
' or 1
\" or '1'
' or 1=1--
' OR ''='
' or 'a'='a
') or ('a'='a
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
';
When I echo my query, all this stuff is put in LIKE clause of my query. I just want to ask that after quoting my query is safe from sql injection?
Upvotes: 1
Views: 335
Answers (1)
Reputation: 6470
Yes, you are safe from SQL injections by using the db adapter quote functions.
When you use quoteInto Zend will call Zend_Db_Adapter::quote method to escape the value string.
From Zend Docs:
The quote() method accepts a single argument, a scalar string value. It returns the value with special characters escaped in a manner appropriate for the RDBMS you are using, and surrounded by string value delimiters.
To make your application safer you should also use Zend_Form with elements utilizing available Zend Filters and Zend Validators. Validation of elements will catch the problem and avoid junk database calls and filters will sanitize your data!
Upvotes: 1
Related Questions
- SQL injection against quote()?
- Can you still get hacked using PDO::quote()?
- Is SQL Injection possible when using PDO quote()?
- PHP - Does PDO quote safe from SQL Injection?
- SQL Injection prevention by replacing single-quote
- Quote raw sql in ZEND to avoid sql injection
- Zend db - When should I quote to avoid sql injection?
- SQL Injection, Quotes and PHP
- Am I safe from SQL-injections?
- Zend - Do I need to use quote() when inserting/updating?