Hello, This post just gets me more confused, because I'm using $db->quote() in almost all my inserts, but when I get the data back, all my carriage returns are converted to \n\r and single quotes become \'. I also used PHP's stripslashes() but has no effect on carriage returns.
Is there an effective way to "unquote" results that where inserted using quote() ? Thanks! Mauricio Matthew Ratzloff wrote: > > Hi Jared, > >> I'm just now learning all the intricacies of preventing SQL injection >> attacks. I understand the value of using Zend_Db quoting for values that >> can be manipulated by users.. what I can't find, though, is a good >> "unescape" command. >> >> If I have an article, for example, that I want to store and then retrieve >> and display, I'll quote the article before insertign it. This will, >> ofcourse, escape all quotes, but it will also put a set of single quotes >> around my entire article. When I then retrieve the article and run >> "stripslashes()" to unescape the quotes, it leaves the surrounding single >> quotes. > > Looking at your example, I think you may be a little confused. Escaping > certain characters in preparation for use in an SQL statement simply > inserts the values as intended to be read by the end user into the > database. There's no need to unescape them following a SELECT statement > because no escape characters are stored in the database record. > > For anyone else that's curious--without escaping, someone might enter the > following: > > Username: admin > Password: ' OR '1' = '1 > > If it's not properly filtered, it could break out of the "AND Password = > '(password)'" portion of the WHERE clause and return admin without > properly authenticating them. > > Hope that helps, > > -Matt > > > -- View this message in context: http://www.nabble.com/quoteOutOf--tp6416052p16324521.html Sent from the Zend Framework mailing list archive at Nabble.com.
