Zend_Db_Table_Abstract and Zend_Db_Expr

Question

I have recently inherited an application, written using ZF, which has various fields encrypted in the db. There are many models extending Zend_Db_Table_Abstract with code similar to this example -

<?php
class Partner extends Zend_Db_Table_Abstract {

    protected $_name = 'partner', $_primary = 'id';

    public function createPartner( $mobile ){

        $id = $this->insert( array(
                        'mobile' => new Zend_Db_Expr("AES_ENCRYPT('$mobile', 'random_key')"),
                        'createdOn' => date('Y-m-d H:i:s', mktime())
                    ) );

        $res = $this->find($id);
        return $res->current();
    }

}
?>

My concern with this code is that $mobile is being passed literally into the query. What is the cleanest way to modify the way this value is being set, so that it uses quoteInto or some other method that uses place holders to parametrise the query?

Answer 1

How about

public function createPartner( $mobile ){

    $id = $this->insert( array(
                    'mobile' => new Zend_Db_Expr($this->getAdapter()->quoteInto("AES_ENCRYPT(?, 'random_key')", $mobile)),
                    'createdOn' => date('Y-m-d H:i:s', mktime())
                ) );

    $res = $this->find($id);
    return $res->current();
}

This seems to work but is there some problem with it that I am missing?

Answer 2

use prepared statement in this case :

$mobile = new Zend_Db_Expr("AES_ENCRYPT('$mobile', 'random_key')");
$date = date('Y-m-d H:i:s', mktime());

$stmt = $this->getAdapter()->prepare('INSERT INTO'.$this->_name.'(mobile, createdOn) VALUES (?, ?)');
$stmt->execute(array($mobile, $date));