Zend Framework Forum

Go Back   Zend Framework Forum > Zend Framework Components > Databases

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 08-11-2008, 11:44 PM
dele454's Avatar
Member
 
Join Date: Jun 2008
Posts: 49
Default QuoteInto to with multiple parameters

hi

I need to query the database with 2 parameters from a URL :

http://mainevent.com/admin/galleries...d/1/type/venue


Code:
public function getGalleryByIdType($requestType="", $requestID="")
                {
                               if($requestType ="event'){
                               
                                  $db        = Zend_Registry::get('db');
                                   $sql       = $db->quoteInto("SELECT g.GalleryName, e.EventName
                                                   FROM Galleries  g  
                                                   LEFT JOIN EventGallery eg ON eg.GalleryID = g.GalleryID
                                                   LEFT JOIN Event e On e.EventID = eg.EventID
                                                   WHERE g.Type=? AND g.GalleryID=?" , $requestType,$requestID);
                       
                                                                                         
                                  $query     = $db->query($sql);
                               
                                  $results   = $query->fetchAll();
                                 
                                  return $results;
                            }
               
               
                }
It seems the quoteInto function only accepts a single parameter. It returns an empty array with no results. And the function doesnt support supplying parameters as an array of values. I came across this article:

Modifying Zend_Db_Adapter_Abstract::quoteInto to accept multiple question marks at Amikelive | Technology Blog

And this guy recommends modifying the function definition. I just want to know if this is the appropriate route to solving this. Thanks
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 08-12-2008, 01:59 AM
Senior Member
 
Join Date: Jul 2008
Posts: 288
Default

The other option is to use bound parameters by passing the second parameter to query(). So you don't even need quoteInto(). Like this:
Code:
...
$sql       = 'SELECT g.GalleryName, e.EventName
                ...
                WHERE g.Type = :gType AND g.GalleryID = :gGalleryId';
                
                $query     = $db->query($sql, array(
                    'gType' => $gType,
                    'gGalleryId' => $gGalleryId,
                ));
You can have as many bound parameters as you want, unfortunately you can't use the same one multiple times in the query (unless that's changed since last I looked).
__________________
Brenton Alker
PHP Developer - Brisbane, Australia

blog.tekerson.com | twitter.com/tekerson | brenton.mp
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 08-12-2008, 05:24 AM
dele454's Avatar
Member
 
Join Date: Jun 2008
Posts: 49
Default

Quote:
Originally Posted by Tekerson View Post
The other option is to use bound parameters by passing the second parameter to query(). So you don't even need quoteInto(). Like this:
Code:
...
$sql       = 'SELECT g.GalleryName, e.EventName
                ...
                WHERE g.Type = :gType AND g.GalleryID = :gGalleryId';
                
                $query     = $db->query($sql, array(
                    'gType' => $gType,
                    'gGalleryId' => $gGalleryId,
                ));
You can have as many bound parameters as you want, unfortunately you can't use the same one multiple times in the query (unless that's changed since last I looked).
Thanks but then i am not quoting any of those values! Doesnt that open me to sql injection attacks?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 08-12-2008, 06:12 AM
Senior Member
 
Join Date: Jul 2008
Posts: 288
Default

Nope, the bound parameters are inserted by creating a prepared statement and executing it (or a facsimile of, if prepared statements are not available in your database/adapter).
__________________
Brenton Alker
PHP Developer - Brisbane, Australia

blog.tekerson.com | twitter.com/tekerson | brenton.mp

Last edited by Tekerson; 08-12-2008 at 06:13 AM. Reason: Grammar
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 10-30-2008, 10:53 AM
Junior Member
 
Join Date: Jul 2008
Posts: 2
Post re

Tekerson - i have a question related to what you said

[PHP]
$arr = array('some_id' => (int)$some_id, 'name' => $name, 'name2' => $name2);
$this->db->update('table', $arr, 'id ='.(int)$id);
[/PHP]

I am only doing trim() on $name and $name2, is this query safe? How should i escape the vars? Is Zend_Db doing it automagically?

Thanks!
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT. The time now is 10:44 AM.


Designed by: Miner Skinz Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 3.1.0