I'm using zf 2.4 and for this example in Zend\db\sql. Do I need to worry about sql injection or do I still need to do quote() or escape anything if I already use prepareStatementForSqlObject()? The below example will do the blind variable already?
https://framework.zend.com/manual/2.4/en/modules/zend.db.sql.html
use Zend\Db\Sql\Sql;
$sql = new Sql($adapter);
$select = $sql->select();
$select->from('foo');
$select->where(array('id' => $id));
$statement = $sql->prepareStatementForSqlObject($select);
$results = $statement->execute();
The
Selectclass will cleverly check your predicate(s) and add them in a safe manner to the query to prevent SQL-injection. I'd recommend you to take a look at the source for yourself so I'll point you to the process and the classes that are responsible for this in the latest ZF version.Predicate Processing
Take a look at the class PredicateSet. The method
\Zend\Db\Sql\Predicate::addPredicatesdetermines the best way to handle your predicate based on their type. In your case you are using an associative array. Every item in that array will be checked and processed based on type:Expression.NULL, an IS NULL check will be performed on the column found in the key:WHERE key IS NULL.WHERE key IN (arrayVal1, arrayVal2, ...).Operatorof the type 'equals':WHERE key = value.In each case the final predicate to be added to the
Selectwill be implementingPredicateInterfacePreparing the statement
The method
\Zend\Db\Sql\Sql::prepareStatementForSqlObjectinstructs its adapter (i.e. PDO) to create a statement that will be prepared. From here it gets a little bit more complicated.\Zend\Db\Sqlis where the real magic happens where in method\Zend\Db\Sql::createSqlFromSpecificationAndParametersthe function vsprintf is used to build the query strings, as you can see here.Note
Please consider using the new docs.framework.zend.com website from now on. This website is leading when it comes to documentation of the latest version.