Does Zend_DB / Doctrine protect me from SQL injection?
Question
Does using prepared statements in Zend_DB or Doctrine protect me from sql injection?
example:
$stmt = $db->prepare('SELECT * FROM users WHERE name = ? AND password = ?');
$rs = $stmt->execute('peter', 'secret');
Or do I have to check strings and types types myself?
Another quickie: Which of the two is best? I only need the DB abstraction (w/ statements, procedures, and transactions).
1 answers
solution1
1 ACCPTED 2010-08-31 09:39:25
Yes.
Prepared statements, whether done with Zend_Db, Doctrine or plain old mysqli, protect you from injection by separating the query structure from the data. This means that if you prepare a statement that selects users based on their name and password, no hacker will be able to provide data that turns that statement into a different one.
Just make sure that the query itself is a string constant.
As for your second question, Doctrine and Zend_Db have different approaches that fit different situations and different aesthetic preferences. There have already been several questions on the topic here.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.