Prevent SQL injection in Zend Framework (Pimcore)

After some attempt to prevent SQL injections by using mysql_real_escape_string that worked fine on my local server but not on the production server, I use the Zend Framework built in protection against SQL injection. When using the select and where methods in Zend Framework with argument replacement instead of embedding them in the string, then you get protection from SQL injection.

<?php
//SELECT
$select = $db->select()
             ->from('table1')
             ->joinUsing('table2', 'column1')
             ->where('column2 = ?', 'foo');

//UPDATE
$data = array(
    'updated_on'      => '2007-03-23',
    'bug_status'      => 'FIXED'
);
 
$where['reported_by = ?'] = 'goofy';
$where['bug_status = ?']  = 'OPEN';
 
$n = $db->update('bugs', $data, $where);

//QUOTE
$name = $db->quote("O'Reilly");

...like
$value = '1234';
$sql = 'SELECT * FROM atable WHERE intColumn = ' . $db->quote($value, 'INTEGER');

..or
$sql = $db->quoteInto("SELECT * FROM bugs WHERE reported_by = ?", "O'Reilly");
?>

Source: http://framework.zend.com/manual/1.12/en/zend.db.select.html
http://framework.zend.com/manual/1.12/en/zend.db.adapter.html

http://framework.zend.com/manual/1.12/en/zend.db.adapter.html#zend.db.ad...

Another solution might be to use the filter_var() function, but this only removes HTML and similar.

<?php
$result[$key] = filter_var($value, FILTER_SANITIZE_STRING);
?>

http://php.net/manual/en/function.filter-var.php

Knowledge keywords:

SQL

You are here

Prevent SQL injection in Zend Framework (Pimcore)