You could use
$this->view->escape
On Sun, Jun 7, 2009 at 6:51 AM, iceangel89 <comet2...@gmail.com> wrote:
>
>
> Matthew Weier O'Phinney-3 wrote:
> >
> > (In 2.0, we will make escaping the default within Zend_View, and require
> > you to explicitly ask for raw data if you don't want escaping.)
> >
>
> that will be much better!
>
> hmm sometimes if i have a complex query with joins to alot of tables ...
> and
> i dont have time to find out whats the ZF way to do things ... can i use
>
> $val = escapeSql($this->getRequest()->getParam('username')); // is there a
> "escape SQL" function?
> $db->fetchAll("SELECT * FROM Users WHERE username = '" . $val . "'")
>
> and u meant not just Zend_Db_Select right? u refer to the quoting
> mechanism.
> Zend_Db_Select by itself just gives a normal SQL right? is
> quoteInto()/where() etc that escapes for SQL? what if i need to escape
> something not in where? maybe in the joins or having or something else?
>
>
>
> --
> View this message in context:
> http://www.nabble.com/Security---Preventing-SQL-Injections%2C-XSS-etc-tp23900449p23907576.html
> Sent from the Zend Framework mailing list archive at Nabble.com.
>
>
--
Vincent Gabriel.
Lead Developer, Senior Support.
Zend Certified Engineer.
Zend Framework Certified Engineer.
-- http://www.vadimg.co.il/
