eKini Web Developer Blog » escaping http://blog.ekini.net Wenbert Del Rosario: PHP, MySQL, Javascript, MVC, Zend Framework, AJAX, jQuery. Tue, 24 Aug 2010 00:13:42 +0000 en hourly 1 http://wordpress.org/?v=3.0 Zend Framework: SQL Injection Prevention from DPC Slides http://blog.ekini.net/2009/06/17/zend-framework-sql-injection-prevention-from-dpc-zend-framework-slides/ http://blog.ekini.net/2009/06/17/zend-framework-sql-injection-prevention-from-dpc-zend-framework-slides/#comments Wed, 17 Jun 2009 06:37:58 +0000 Wenbert http://blog.ekini.net/2009/06/17/zend-framework-sql-injection-prevention-from-dpc-zend-framework-slides/ I would never make it to any PHP Conference, so I would have to be satisfied by the replays and slides. I got these from the DPC slides found here (pdf).

function query($sql, $bind = array())

- uses prepared statement internally
- SQL Injection still possible if $sql is dynamically created

function fetchAll($sql, $bind = array(), $fetchMode = null)

- all “fetch” methods use prepared statements internally
- SQL Injection still possible if $sql is dynamically created

<?php
$sql = "SELECT id FROM users WHERE lastname=? AND age=?";
$parans = array('Smith','18');
$result = $db->fetchAll($sql, $params);
?>

More stufff…

function insert($table, array $bind)

- internally uses prepared statements
- SQL-Injection not possible

function update($table, array $bind, $where = '')

- uses partially prepared statements
- SQL-Injection still possible if $where is dynamically created

function delete($table, $where = '')

- SQL-Injection still possible if $where is dynamically created

Zend_Db – Escaping

function quote($value, $type = null)

- applies the correct escaping – one function not many
- ATTENTION: also puts strings in quotes
Note: If the type of your field in your database is an Integer, then I would suggest that you use a second parameter — see below.

$value = '1234';
$sql = 'SELECT * FROM atable WHERE intColumn = '. $this->_db->quote($value, 'INTEGER');


function quoteIdentifier($ident, $auto=false)

- applies escaping for identifiers
- a function not available to traditional PHP applications
- ATTENTION: also puts strings in quotes
- Used for table names, columns, and other identifiers in SQL statements

If you use PHP variables to name tables, columns, or other identifiers in your SQL statements, you might need to quote these strings too.

Example:

class Default_Model_DbTable_Ordertype extends Zend_Db_Table_Abstract
{
    /** Table name */
    protected $_name = 'order_type';
 
    public function init()
    {
        $this->_db->setFetchMode(Zend_Db::FETCH_OBJ);
    }
 
    public function fetchAll($country_id)
    {
        $sql = 'SELECT *
                FROM
                '.$this->_name.'
                WHERE order_type_status = "on"
                AND country_id = ?';
 
        return $this->_db->fetchAll($sql,array($country_id));
    }
 
    public function fetchAllQuoted($country_id)
    {
        /**
         * This would also work.
         * But I prefer the one above.
         * It is shorter and easier to read.
         * Both will have the same results.
         */
        $country_id = $this->_db->quote($country_id);
        $sql = 'SELECT *
                FROM
                '.$this->_name.'
                WHERE order_type_status = "on"
                AND country_id = '.$country_id;
 
        /**
         * No second parameter.
         */
        return $this->_db->fetchAll($sql);
    }
}

MORE UPDATES:
Note that quote() and quoteInto() is a method of Zend_Db_Adapter_Abstract. So if you need to use it within your Mapper (like the models in ZF1.8 Quickstart), then you need to use the getAdapter() method:

<?php
 
class Twitter_Model_GroupMapper
{
    protected $_dbTable;
 
    public function setDbTable($dbTable)
    {
        if (is_string($dbTable)) {
            $dbTable = new $dbTable();
        }
        if (!$dbTable instanceof Zend_Db_Table_Abstract) {
            throw new Exception('Invalid table data gateway provided');
        }
        $this->_dbTable = $dbTable;
        return $this;
    }
 
    public function getDbTable()
    {
        if (null === $this->_dbTable) {
            $this->setDbTable('Twitter_Model_DbTable_Group');
        }
        return $this->_dbTable;
    }
 
    public function fetchGroup($twitter_username)
    {
        $quoted = $this->getDbTable()->getAdapter()->quote($twitter_username); //HERE!!!
        $resultSet = $this->getDbTable()->fetchAll('twitter_name = '.$quoted.'');
        return $resultSet;
    }
}
]]> http://blog.ekini.net/2009/06/17/zend-framework-sql-injection-prevention-from-dpc-zend-framework-slides/feed/ 1