Zend Framework SQL Injection protection

Question

I'm looking at some Zend Framework code a developer I'm working with is using, and in it I see the following:

$select = new Zend_Db_Select($DB);
$sql = $select->where("id ='".$id."'");             

Now, $id is not sanitized anywhere, and I was under the impression that you're only protected from injection via Zend if you use placeholders -- this string is vulnerable, I thought.

The author of the code claims zend takes care of it even in this case, although I can't find in the documentation where it says so.

Can anyone clear up if this is, in fact, safe?

Answer 1

I do this:

$id = 3;
$where = $this->getAdapter()->quoteInto("id =?', $ id);

Result:

id = '3'

This method automatically adds single quotes building the sql correctly. I think it is very efficient.

Answer 2

You are correct. The other developer is mistaken.

If you look at the documentation here you can find comments towards the bottom of the page that discuss example #20 as being subject to SQL injection if the parameters were coming from user input. Example #20 is more-or-less doing the same thing as the code you pasted. (Although, your code has single quotes, but this of course doesn't make it any safer.)

I have no idea why anyone would disregard the placeholders in favor of this unsafe and less clean way of writing it.

Answer 3

Use placeholders, Zend will sanitize your data.

$select = new Zend_Db_Select($DB);
$sql = $select->where("id = ? ", $id);