You could use $this->view->escape On Sun, Jun 7, 2009 at 6:51 AM, iceangel89 <comet2...@gmail.com> wrote:
> > > Matthew Weier O'Phinney-3 wrote: > > > > (In 2.0, we will make escaping the default within Zend_View, and require > > you to explicitly ask for raw data if you don't want escaping.) > > > > that will be much better! > > hmm sometimes if i have a complex query with joins to alot of tables ... > and > i dont have time to find out whats the ZF way to do things ... can i use > > $val = escapeSql($this->getRequest()->getParam('username')); // is there a > "escape SQL" function? > $db->fetchAll("SELECT * FROM Users WHERE username = '" . $val . "'") > > and u meant not just Zend_Db_Select right? u refer to the quoting > mechanism. > Zend_Db_Select by itself just gives a normal SQL right? is > quoteInto()/where() etc that escapes for SQL? what if i need to escape > something not in where? maybe in the joins or having or something else? > > > > -- > View this message in context: > http://www.nabble.com/Security---Preventing-SQL-Injections%2C-XSS-etc-tp23900449p23907576.html > Sent from the Zend Framework mailing list archive at Nabble.com. > > -- Vincent Gabriel. Lead Developer, Senior Support. Zend Certified Engineer. Zend Framework Certified Engineer. -- http://www.vadimg.co.il/