Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Does using prepared statements in Zend_DB or Doctrine protect me from sql injection?
example:
$stmt = $db->prepare('SELECT * FROM users WHERE name = ? AND password = ?');
$rs = $stmt->execute('peter', 'secret');
Or do I have to check strings and types types myself?
Another quickie: Which of the two is best? I only need the DB abstraction (w/ statements, procedures, and transactions).
Yes.
Prepared statements, whether done with Zend_Db, Doctrine or plain old mysqli, protect you from injection by separating the query structure from the data. This means that if you prepare a statement that selects users based on their name and password, no hacker will be able to provide data that turns that statement into a different one.
Just make sure that the query itself is a string constant.
As for your second question, Doctrine and Zend_Db have different approaches that fit different situations and different aesthetic preferences. There have already been several questions on the topic here.