Zend - 插入/更新时是否需要使用 quote() ?
我正在开发一个应用程序,允许用户输入 mySQL 中的 VARCHAR(255) 字段,因此安全性是一个主要问题。
我无法理解 quote()。如果我使用 quote('test'),则数据在 SELECT 上返回为 '\'test\'',这是不可取的。如何取消引用此数据?
如果我绕过 quote(),我可以查看 phpmyadmin 并看到“test”,所以 Zend 似乎不会自动为我转义引号...
我的代码看起来像这样:
public function getDbTable() { if (null === $this->_dbTable) { $this->setDbTable(new Zend_Db_Table($this->_tableName)); } return $this->_dbTable; } private function insert($anObject) { $row['cell1'] = $anObject->getCell1(); $row['cell2'] = $anObject->getCell2(); $this->getDbTable()->insert($row); }
Should I be using quote() around $插入和更新时 anObject->getCell1() 等?
I'm developing an application that allows users to input into VARCHAR(255) fields in mySQL, so security is a major concern.
I am having trouble understanding quote(). If I use quote('test'), the data returns as '\'test\'' on SELECT, which is undesirable. How do I unquote this data?
If I bypass quote(), I can peek into phpmyadmin and see 'test', so it does not seem that Zend is escaping quotes for me automatically...
My code looks something like this:
public function getDbTable() { if (null === $this->_dbTable) { $this->setDbTable(new Zend_Db_Table($this->_tableName)); } return $this->_dbTable; } private function insert($anObject) { $row['cell1'] = $anObject->getCell1(); $row['cell2'] = $anObject->getCell2(); $this->getDbTable()->insert($row); }
Should I be using quote() around $anObject->getCell1(), etc. when inserting and updating?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
不,Zend 会为您做到这一点。
呵呵,如果你在 PMA 中看到“test”(带引号),那就意味着Zend 已成功引用您的字符串。如果 Zend 没有 quote() 它 - 你会看到关于错误查询的异常。 ;-)
No, Zend does it for you.
Hehe, if you see 'test' (with quotes) in PMA, that means that Zend have quoted your string successfully. If Zend did not quote() it - you would see an exeception about wrong query. ;-)
Zend_Db_Table_Abstract::insert 使用 Zend_Db_Adapter_Abstract::insert 执行插入。 Zend_Db 使用 准备好的语句,因此不存在以下风险:使用插入方法时的 SQL 注入。在将值传递给插入之前,您不必引用它们。
Zend_Db_Table_Abstract::insert uses Zend_Db_Adapter_Abstract::insert to perform insertion. Zend_Db uses prepared statement, so there is no risk for SQL injection when you use insert method. You don't have to quote your values before passing them to insert.