Home/ Questions/Q 4576106
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-21T20:09:31+00:00

Currently I’m working with Zend framework and I need help with Zend_db update in

  • 0

Currently I’m working with Zend framework and I need help with Zend_db update in Zend_Db_Table_Abstract class.

Here is my SQL statement

UPDATE user
   SET password = '$password',
`enter code here`  WHERE email = '$email'

Here is my code in zend_db

   public function updatePassword($password,$email)
    {
       $data = array(
            'password' => $password
        );

       $where = "email = '". $email ."'";
    $this->update($data, 'email = '.$email);


    }

This only work if I update using int id as my where clause but I wanted to use a email string as a where clause.

Can someone please help me the best way to achieve this?

I wanted to be secure and avoid SQL Injection attack

Thanks so much in advance.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You approach only works with integer values, because the way you concat the where string does not escape the value. So if you do

    'email = '.$email

    It will product an sql string like this if you use the string “hello world”

    WHERE email = hello world

    This is an invalid SQL statement so the update does not happen. What you want to produce is a where clause like this

    WHERE email = 'hello world'

    There are multiple ways to do this, but the safest way to do that via Zend Framework is described in the reference manual under “Example #24 Updating Rows Using an Array of Arrays”.

    $data = array(
  'password' => $password
);
$where['email = ?'] = $email;
$this->update($data, $where);
    • 0