Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>I wrote a lot of the code for database parameters and quoting in Zend Framework while I was the team lead for the project (up to version 1.0).</p> <p>I tried to encourage best practices where possible, but I had to strike a balance with ease of use.</p> <p>Note that you can always examine the string value of a <code>Zend_Db_Select</code> object, to see how it has decided to do quoting. </p> <pre><code>print $select; // invokes __toString() method </code></pre> <p>Also you can use the <code>Zend_Db_Profiler</code> to inspect the SQL that is run on your behalf by <code>Zend_Db</code>.</p> <pre><code>$db-&gt;getProfiler()-&gt;setEnabled(true); $db-&gt;update( ... ); print $db-&gt;getProfiler()-&gt;getLastQueryProfile()-&gt;getQuery(); print_r $db-&gt;getProfiler()-&gt;getLastQueryProfile()-&gt;getQueryParams(); $db-&gt;getProfiler()-&gt;setEnabled(false); </code></pre> <p>Here are some answers to your specific questions:</p> <ul> <li><p><code>Zend_Db_Select::where('last_name=?', $lname)</code></p> <p>Values are quoted appropriately. Although the "<code>?</code>" looks like a parameter placeholder, in this method the argument is actually quoted appropriately and interpolated. So it's not a true query parameter. In fact, the following two statements produce exactly the same query as the above usage:</p> <pre><code>$select-&gt;where( $db-&gt;quoteInto('last_name=?', $lname) ); $select-&gt;where( 'last_name=' . $db-&gt;quote($lname) ); </code></pre> <p>However, if you pass a parameter that is an object of type <code>Zend_Db_Expr</code>, then it's not quoted. You're responsible for SQL injection risks, because it's interpolated verbatim, to support expression values:</p> <pre><code>$select-&gt;where('last_modified &lt; ?', new Zend_Db_Expr('NOW()')) </code></pre> <p>Any other part of that expression that needs to be quoted or delimited is your responsibility. E.g., if you interpolate any PHP variables into the expression, safety is your responsibility. If you have column names that are SQL keywords, you need to delimit them yourself with <code>quoteIdentifier()</code>. Example:</p> <pre><code>$select-&gt;where($db-&gt;quoteIdentifier('order').'=?', $myVariable) </code></pre></li> <li><p><code>Zend_Db_Adapter_Abstract::insert( array('colname' =&gt; 'value') )</code></p> <p>Table name and column names are delimited, unless you turn off <code>AUTO_QUOTE_IDENTIFIERS</code>.</p> <p>Values are parameterized as true query parameters (not interpolated). Unless the value is a <code>Zend_Db_Expr</code> object, in which case it's interpolated verbatim, so you can insert expressions or <code>NULL</code> or whatever.</p></li> <li><p><code>Zend_Db_Adapter_Abstract::update( array('colname' =&gt; 'value'), $where )</code></p> <p>Table name and column names are delimited, unless you turn off <code>AUTO_QUOTE_IDENTIFIERS</code>.</p> <p>Values are parameterized, unless they are <code>Zend_Db_Expr</code> objects, as in <code>insert()</code> method.</p> <p>The <code>$where</code> argument is not filtered at all, so you're responsible for any SQL injection risks in that one. You can make use of the <code>quoteInto()</code> method to help make quoting more convenient.</p></li> </ul>
    singulars
    1. This table or related slice is empty.
    1. POavoiding MySQL injections with the Zend_Db class
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USBill Karwin
    1. USBill Karwin
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POavoiding MySQL injections with the Zend_Db class
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COGreat answer, Bill, and a great component all round :)
      singulars
      1. PO
      1. USDavid Snabel-Caunt
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload