I am developing a web application using zend framework. For select statements I have used following way.
Ex:
public function getData($name)
{
$sql = "SELECT * from customer where Customer_Name = '$name'";
return $this->objDB->getAdapter()->fetchAll ($sql);
}
This works fine. But If I send customer name as : colvin's place,
The query fail. And I know it's because of the single quote.
Earlier I used addslashes PHP function. But I saw it is not a good way to do this. This time I used mysql_real_escape_string PHP function.
The issue is it says following warning.
Warning</b>: mysql_real_escape_string() [<a href='function.mysql-real-escape-string'>function.mysql-real-escape-string</a>]: Access denied for user 'ODBC'@'localhost' (using password: NO)
This is because of the mysql_real_escape_string function needs a connection to the database opened by mysql_connect. My question is how can I use this with *Zend_DB* classes. I need to use custom select queries always. Appreciate your other suggestions if available.
Thank you
You can use the quote() function provided by Zend_Db:
http://framework.zend.com/manual/en/zend.db.adapter.html#zend.db.adapter.quoting.quote
You could use parameter binding as well, then the method will look like:
public function getData($name)
{
$sql = "SELECT * from customer where Customer_Name = :name";
return $this->objDB->getAdapter()->fetchAll ($sql, ['name' => $name]);
}
Then your data will be escaped automatically
I had the same problem and this solution works fine for me. I hope this will help.
you can do something like this:
$quote_removed_name = str_replace("'","''",$name);
then write your query this way:
$sql = "SELECT * from customer where Customer_Name = '$quote_removed_name'";
I had this problem, I used this way and is working correctly:
You can use quote():
The quote() method accepts a single argument, a scalar string value. It returns the value with special characters escaped in a manner appropriate for the RDBMS you are using, and surrounded by string value delimiters. The standard SQL string value delimiter is the single-quote (').
But quote returns a string with 'string' (return it inside quotation), for example I get an string from user from a input-text box (or by URL in GET method)
$string = $this->parameters['string']; // This is like $_POST or $_GET
$string = $this->db->quote($string);
$string = substr($string, 1, strlen($string)-2);
//The above line will remove quotes from start and end of string, you can skip it
Now we can use this $string, and it is like what mysql_real_escape_string returns
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 够拽才男人 的文章《mysql_real_escape_string with Zend》','https://www.manongdao.com/article-441159.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}