Home/ Questions/Q 6938753
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T12:31:56+00:00

I’m looking at some Zend Framework code a developer I’m working with is using,

  • 0

I’m looking at some Zend Framework code a developer I’m working with is using, and in it I see the following:

$select = new Zend_Db_Select($DB);
$sql = $select->where("id ='".$id."'");

Now, $id is not sanitized anywhere, and I was under the impression that you’re only protected from injection via Zend if you use placeholders — this string is vulnerable, I thought.

The author of the code claims zend takes care of it even in this case, although I can’t find in the documentation where it says so.

Can anyone clear up if this is, in fact, safe?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You are correct. The other developer is mistaken.

    If you look at the documentation here you can find comments towards the bottom of the page that discuss example #20 as being subject to SQL injection if the parameters were coming from user input. Example #20 is more-or-less doing the same thing as the code you pasted. (Although, your code has single quotes, but this of course doesn’t make it any safer.)

    I have no idea why anyone would disregard the placeholders in favor of this unsafe and less clean way of writing it.

    • 0