Quoting a value for an SQL query in ZF 2.1.4

Question

Quoting a value for an SQL query in ZF 2.1.4

So, I upgraded to ZF 2.1.4, and I was greeted with the message: Attempting to quote a value in Zend\Db\Adapter\Platform\Mysql without extension/driver support can introduce security vulnerabilities in a production environment

My dbadapter is defined as such:

 return array( 'service_manager' => array( 'factories' => array( 'Zend\Db\Adapter\Adapter' => 'Zend\Db\Adapter\AdapterServiceFactory', ) ), 'db' => array( 'driver' => 'pdo_mysql', 'driver_options' => array( PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'" ), 'dsn' => 'mysql:dbname=test;host=192.168.1.8', 'username' => 'test', 'password' => 'test', ) );

I want to quote the following:

 $order = 'field(ce.id, ' . $this->_db->getPlatform()->quoteValueList($ids) . ')'; $select->order(new Expression($order));

How can I do it? I got the impression that pdo_mysql has driver support for specifying values.

+7

php zend-framework2

mobius Mar 19 '13 at 16:08

source share

1 answer

chrislondon · Answer 1 · 2013-05-25T16:32:18+0000

It looks like you already found your solution by adding $this->platform->setDriver($this->getDriver()); . Also take a look at this:

See the security announcements and notes that accompanied this version: http://framework.zend.com/security/advisory/ZF2013-03

Release Notes: http://framework.zend.com/blog/2013-03-14-zend-framework-3-for-1-release-day.html

Quoting a value for an SQL query in ZF 2.1.4

More articles: