Zend_Db quoteInto() with multiple arguments

Zend Framework has some weird “features” so to say, which pop out from time to time and get the programmers really annoyed. The latest thing quoteInto() method of Zend_Db_Adapter_Abstract class. This is supposed to quote input variables prior to entering them into a SQL command to avoid SQL injection attacks. Sounds cool, doesn’t it? Well…not quite. Because, because it can only quote one argument.

You can’t write:

// note: I usually extend my models from the Zend_Db_Table_Abstract class
// this code should be executed in a model of a such model
$select = new Zend_Db_Select($this->_db);
$select->from($this->_name);
$select->where($this->_db->quoteInto('(a = ? AND b = ?) OR (c != ?)', $a, $b, $c);

…as this won’t work. Of course, there’s a really lame approach, to concatenate the output from multiple quoteInto() calls. Like such:

$select->where(
    $this->_db->quoteInto('(a =? AND ', $a) .
    $this->_db->quoteInfo('b = >)', $b) .
    $this->_db->quoteInfo(' OR ( c != ?)', $c)
);

As I said, extremely lame. What’s to do then. Well, when I’ve hit this roadblock, I’ve opted for prepared statements. Of course, they brake the OOP encapsulation of SQL queries but if you don’t need to alter the query later it’s okay. So:

$stmt = $this->_db->prepare( 'SELECT * FROM ' . $this->_name . ' WHERE (a = ? AND b = ?) OR (c != ?)');
$stmt->execute(array($a, $b, $c));

This also works when you need to write custom sql queries:

$stmt = $this->_db->prepare('INSERT INTO ' . $this->_name . ' (first, second) VALUES (?, ?) ON DUPLICATE KEY UPDATE first = first + 1');
$stmt->execute(array($first, $second));

A decent workaround to the quoteInto() problem…

$values = array('value1', 'value2', 3, 'whatever'); $sql = 'INSERT INTO table (col1, col2, col3, col4) VALUES( ?, ?, ?, ?)'; foreach($values as $value) { $sql = $adapter->quoteInto($sql, $value); }

Andris

September 8th, 2009 at 9:44 pm

Check out my article about this issue:
http://codeaid.net/php/multiple-parameters-in-zend_db::quoteinto()

Tudor

September 9th, 2009 at 6:51 am

Your link doesn’t work…

Ben

September 24th, 2009 at 4:56 pm

Looks like this is what he meant to link: http://codeaid.net/search/quoteinto

September 24th, 2009 at 5:08 pm

Yes, it seems so. But a better idea would be this:

Not tested, but it should work!

Alex

April 30th, 2010 at 4:11 pm

$where = "(group_id = ? AND format_id = ? AND color_id = ?)";
$values = array($groupId, $formatId, $colorId);

foreach($values as $value)
	$where = $this->_db->quoteInto($where, $value , '', 1);

tested and works!

April 30th, 2010 at 5:12 pm

Nice! But I’m quite sure that it wasn’t working one year ago when the article was written

,,,^..^,,,

Tudor Barbu's blog

Programming blogs

Friends

Non English Blogs

Advertising

Most commented

6 Responses

Leave a reply