Friday, February 20, 2015

Preventing SQL injection when using MySQL query directly

Okay, researched this one a little bit. If you can get an instance of a DB_Adapter (which I believe that resource call will return), this shouldn't be too tough. Deep down inside, Magento is based on Zend Framework, and the DB adapter specifically is descended from Zend_Db_Adapter, so you can use those methods for free. See the link before for more examples, but here's the syntax provided in the docs, which should escape your input automagically:

$write = Mage::getSingleton("core/resource")->getConnection("core_write");

// Concatenated with . for readability
$query = "insert into mage_example "
       . "(name, email, company, description, status, date) values "
       . "(:name, :email, :company, :desc, 0, NOW())";

$binds = array(
    'name'    => "name' or 1=1",
    'email'   => "email",
    'company' => "company",
    'desc'    => "desc",
);
$write->query($query, $binds);

Reference:

http://stackoverflow.com/questions/3575160/using-magento-methods-to-write-insert-queries-with-care-for-sql-injection
http://www.framework.zend.com/manual/en/zend.db.adapter.html
Posted by Jun Hsieh at 10:56 AM
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)