HomeForumsGeneralPHP

Zend_Db_Select SAFE ORDER

Tue, 10/02/2007 - 16:23 — dimi

Hello,
please look at this, i dont know how to secure the $sort ...
This variable is set from REQUEST ($this->request->getParam('sort');) so its not safe ... i thing it should be quoted .. but i dont know how, because there is not suitable method, these are not doing the right thing :( (quote, quoteIdentifier ets .. ).

$select = $db->select();
$select->from('module_Events', '*')
->where('`startAt` >= ?', $date)
->order($sort)
->limit(0,200);

Where is now quoted corectly ... ?

Thanks for any advice
Mike

‹ How to set memory free in for loop with php? Zend/view/helper table ›
Tue, 10/02/2007 - 16:57 — dimi

it seems its done inside the select

When i look inside the select functions, it seems that the order is beeing quoted ... Sime maybe its ok. If it is, sorry :)

Tue, 10/02/2007 - 23:58 — Alex

Zend_Db_Select quotes the order automatically

Zend_Db_Select quotes the order automatically, you do not need to quote it before passing to the order() method.

However, passing user input directly to the select is not a good practice. It is better to use array with columns that supports ordering and check the input against this array. This technique prevents from ordering by the column that is not indexed.

Sincerely,
Alex

Wed, 10/03/2007 - 06:54 — dimi

Ok thank you, thats right,

Ok thank you, thats right, ill fix it.

Sincerely,
Mike