Home/ Questions/Q 6803417
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T19:20:30+00:00

I’m having trouble with Zend Db’s update() method. It’s not safe against sql injection

  • 0

I’m having trouble with Zend Db’s update() method. It’s not safe against sql injection on its own.

Select methods seem safe, so I could theoretically do a select and then simply do a save() after modifying the fields I want to update. But, I don’t want to have to run 2 queries – a select followed by an update, just to run an update. That doesn’t seem efficient.

To solve this, I tried to use mysql_real_escape_string(), but it actually caused the data I was trying to update to got into the database as an empty string. Not sure why.

Here is the code:

public function updateMyTable($data,$id){
    $safeData=array();
    foreach($data as $field=>$val){
        $safeData[$field] = mysql_real_escape_string($val);
    }
    $where[]= 'id = '.mysql_real_escape_string($id);
    self::instance()->update($safeData,$where)
}

Does anyone know if I have something incorrect that is causing the blank database entry? Or, a way to safely use update()? I didn’t want to use Zend’s quote() method because it actually puts slashes into my data in the database. Thanks.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    mysql_real_escape_string needs a connection to the database opened by mysql_connect to work, and if the framework uses another driver e.g. mysqli it will fail to escape the string with this function. look for the documentation, there should be a special method for escaping data within the framework.

    • 0