For those of you who are a lot like me – those who can’t live without cheatsheets, I have made some sort of cheatsheet for the Zend Framework Database-thingies (Zend_Db, etc.).
It has notes on how to insert a row, updating, deleting, fetching, table joins, transactions. I could never memorize anything, and this page has been very useful to me – just sharing.
Click here for the Zend_Db cheatsheet.
I noticed in your Zend_Db cheatsheet, you show multiple examples of interpolating PHP integer variables into SQL expressions. In the specific cases you show, this is okay because the variable has only values defined in the same function. But in general, variables might contain data that comes from an untrusted source, such as user input. This introduces a risk of SQL injection vulnerability — either by accident or by a malicious attacker.
So you should use the Zend_Db quoteInto() method to help reduce this risk. For example, instead of this:
$where = ‘id=”‘.$id.’”‘; // Risk of SQL injection
You should do this:
$db = $claimH->getAdapter();
$where = $db->quoteInto(‘id= ?’, $id);
The result is that $id is interpolated into the SQL expression with proper SQL quote delimiters, and escapes any special characters within the content of $id.
thanks for the reply.
i will be making the changes on the examples.
Thanks for the cheatsheet