Zend Db 避免 sql 注入
我有以下代码:
public function checkLoginDetails($email, $password) {
$select = $this->select ();
$select->where ( "password=?", md5($password) );
$select->where ( "email=?", $email );
return $this->fetchRow($select);
}
电子邮件和密码直接来自用户。我是否需要使用 mysql_real_escape_string 来过滤电子邮件,还是 Zend DB 为我做这件事?
谢谢你!
I have the following code:
public function checkLoginDetails($email, $password) {
$select = $this->select ();
$select->where ( "password=?", md5($password) );
$select->where ( "email=?", $email );
return $this->fetchRow($select);
}
email and password come directly from the user. Do I need to filter email with, say, mysql_real_escape_string or does Zend DB do it for me?
Thank you!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我是
Zend_Db的主要开发人员,一直到 Zend Framework 1.0。在您显示的示例中,值被插入到查询中,并应用了适当的引号和转义。您无需再做任何事情。
在内部,它使用您正在使用的
Zend_Db_AdapterPHP 扩展中内置的引用函数。例如PDO::quote()。I was the main developer on
Zend_Db, up to Zend Framework 1.0.In the example you show, the values are interpolated into the query, with appropriate quotes and escaping applied. You don't have to do anything more.
Internally, it uses the quoting function built into the PHP extension for the
Zend_Db_Adapteryou're using. E.g.PDO::quote().