Hi I have this small code fragment from a web application built on ZEND

Question

0

Asked: June 15, 20262026-06-15T11:26:11+00:00 2026-06-15T11:26:11+00:00

Hi I have this small code fragment from a web application built on ZEND

0

Hi I have this small code fragment from a web application built on ZEND framework that is not safe since ‘name’ is fetched from post request. Is there a standard ZEND way to prevent special symbols in $data? Like $where has the quoteInto.

$name = $this->_request->getParam('name');

// update query
$data = array(
    'name' => $name
);
$where = array(
    $users->getDbAdapter()->quoteInto('user_id = ?', $userId),
);
$users->update($data, $where);

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-15T11:26:12+00:00

Tim is correct if a bit terse. 🙂

The $data array in an update statment in Zend_Db is broken down into bound parameters. You can find the exact code in Zend_Db_Adapter_Abstract.

There are a number of procedures involved but the array ultimately ends up in this statement.

$set[] = $this->quoteIdentifier($col, true) . ' = ' . $val;

where your original array was $col => $val

then the SQL is created:

    $sql = "UPDATE "
         . $this->quoteIdentifier($table, true)
         . ' SET ' . implode(', ', $set)
         . (($where) ? " WHERE $where" : '');

It looks reasonably secure against SQL injection.

However you can always employ Zend_Filter_Input with Zend_Validate and Zend_Filter to really sanitize your input values.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Hi I have this small code fragment from a web application built on ZEND

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply