How to prevent SQL Injection attack in applications programmed in Zend Framework?

I don't have any concept about ZF safety. Do I have to use Filter when operating on database? Maybe binding is enough ? How about this:

$users->update($data, 'id=1');

Should $data array be filtered somehow ? Feel free to write anything you know about the issue.

Could you give some links to good articles about safety in ZF (mainly about SQL Injection and XSS)?

-------------Problems Reply------------

Short answer
While ZF takes and provides some measures to secure your app, you should still apply the same precautions that you'd use without Zend Framework.

Regarding your code snippet, check out the Chapter on Zend_Db in the Reference Guide:

By default, the values in your data array are inserted using parameters. This reduces risk of some types of security issues. You don't need to apply escaping or quoting to values in the data array.

This doesn't mean you don't have to bother about security. For instance, for the Update method above

The third argument is a string containing an SQL expression that is used as criteria for the rows to change. The values and identifiers in this argument are not quoted or escaped. You are responsible for ensuring that any dynamic content is interpolated into this string safely. See Quoting Values and Identifiers for methods to help you do this.

Note since you are using Zend_Db_Table obviously, third argument is second argument. Internally, the table instance will delegate the call to the db adapter with the first param being the table instance's tablename.

Regarding Zend_View and XSS attack vectors:

Zend_View comes with an initial set of helper classes, most of which relate to form element generation and perform the appropriate output escaping automatically.

Again most of which does not mean all. Zend_View does provide Zend_View::escape() to help you sanitize output, but this nothing special.

The same concept is valid for the Zend Framework and for every other web application/library/whatever that manipulate user data:

Always validate user input. Trust no one.

If you're expecting a string, be sure you receive a string. This can be performed using framework libraries (for example, in this very case you're using the Zend framework) or by manually implementing validation functions.

Validation must ALWAYS be performed on Server Side. Client side validation should also be present, to provide a better user experience.

In the case of Zend, please refer to the Validation page from the manual.

Binding should prevent SQL injection but it does nothing to prevent XSS. You should always filter your data as necessary and when echoing output in the view, you should escape anything that might be dangerous.

echo $this->escape($this->foo);

I will suggest the Use of Zend Filters, wherever you need something specific. You can use this at anypoint in your application.

Request Parameter

$alpha = new Zend_Filter_Alpha();
$name = $alpha -> filter($this -> _request -> getParam('name')); //while processing url parameters


$int = new Zend_Filter_Int();
$select -> where("id = ?", $int -> filter($id)); //during db processing also

Also in Form Elements . I will skip this as example of this can be found abudantly.

Category:php Views:1 Time:2010-03-03

Related post

  • Will prepared statements prevent sql injection attacks? 2011-08-19

    Consider a hypothetical case where I have to retrieve some details from the database based on the userId and the sample code is given below private String getpassword(String username) { PreparedStatement statement = null; ResultSet resultSet = null;

  • Ways to prevent SQL Injection Attack & XSS in Java Web Application 2009-01-27

    I'm writing a java class which would be invoked by a servlet filter and which checks for injection attack attempts and XSS for a java web application based on Struts. The InjectionAttackChecker class uses regex & java.util.regex.Pattern class to

  • Preventing SQL Injection attacks: the differences between mySql and SQL Server 2008 2010-10-21

    Is there any reason to migrate from MySql to SQL server 2008 if one's main concern is the blocking of SQL injection attacks? Does Linq2Sql or EF provide additional protection? --------------Solutions------------- No. The strategies for blocking again

  • C# and MySQL .NET Connector - Any way of preventing SQL Injection attacks in a generic class? 2010-05-05

    My idea is to create some generic classes for Insert/Update/Select via a C# (3.5) Winforms app talking with a MySQL database via MySQL .NET Connector 6.2.2. For example: public void Insert(string strSQL) { if (this.OpenConnection() == true) { MySqlCo

  • Prevent SQL injection attacks in a Java program 2012-03-01

    I have to add a statement to my java program to update a database table: String insert = "INSERT INTO customer(name,address,email) VALUES('" + name + "','" + addre + "','" + email + "');"; I heard that this can be exploited through an SQL injection l

  • Allowing code snippets in form input while preventing XSS and SQL injection attacks 2009-01-02

    How can one allow code snippets to be entered into an editor (as stackoverflow does) like FCKeditor or any other editor while preventing XSS, SQL injection, and related attacks. --------------Solutions------------- Part of the problem here is that yo

  • How to prevent SQL injection if I don't have option to use "PreparedStatement" in Java/J2EE 2011-04-11

    I have one application In which I can’t user “PreparedStatement” on some of places. Most of SQL queries are like…. String sql = "delete from " + tableName; So I like to know how to fix “SQL Injection” problem in my code. Regards, Sanjay Singh =======

  • Restrict semicolon to prevent SQL injection? 2011-07-23

    I've seen that SQL injection strings are often constructed like this: ' ; DROP DATABASE db -- Therefore, if I disallow the use of semicolons in my application's inputs, does this 100% prevent any SQL injection attack? --------------Solutions---------

  • re SQL Injection Attack using MySQL, does this meet baseline requirements? 2011-09-14

    I have a Single Page Application in which the browser does all the logic work. Except for initial loading, the server is pretty much a fancy interface to the database. The browser sends data dictionary keys, column name / value pairs, and where claus

  • How prepared statements can protect from SQL injection attacks? 2011-11-24

    How do prepared statements help us prevent SQL injection attacks? Wikipedia says: Prepared statements are resilient against SQL injection, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped

  • form data into database: preventing SQL injection 2012-01-07

    It has recently been mentioned to be that our method of inserting data into our SQL database via form submission is subject to SQL injection attacks, and want some advice to harden our security. Here's the code that inserts form data into the DB:

  • Sql Injection Attacks and Subsonic 2009-05-05

    If I use SubSonic to create DAL for my web project do I need to worry about preventing SQL Injection Attacks? --------------Solutions------------- This depends on how you construct your queries. It is totally possible to write unsafe queries with sub

  • Is sqlite3_bind_text sufficient to prevent SQL injection on the iPhone 2009-05-23

    Given the statement: const char *sql = "INSERT INTO FooTable (barStr) VALUES (?)"; is the following use of sqlite3_bind_text (and related sqlite3_bind_* functions) sufficient to prevent SQL injection attacks? sqlite3 *db; sqlite3_stmt *dbps; int dbrc

  • Is htmlencoding a suitable solution to avoiding SQL injection attacks? 2010-03-10

    I've heard it claimed that the simplest solution to preventing SQL injection attacks is to html encode all text before inserting into the database. Then, obviously, decode all text when extracting it. The idea being that if the text only contains amp

  • Preventing SQL injecting in a database class 2010-03-29

    I'm building a database class and thought it'd be a good idea to incorporate some form of SQL injection prevention (duh!). Here's the method that runs a database query: class DB { var $db_host = 'localhost'; var $db_user = 'root'; var $db_passwd = ''

  • Preventing SQL Injection In Ibatis 2010-10-13

    Is there anything built into Ibatis that helps prevent SQL Injection attacks? I'm not looking for a list of ways outside of Ibatis to do this, and am just wondering if Ibatis has anything to prevent SQL Injection. --------------Solutions-------------

  • What is the smallest possible SQL injection attack character sequence? 2010-11-23

    Simple, a SQL injection attack in as few characters as possible. Note, I'm not trying to prevent SQL injection attacks by limiting inputs to a certain size, but rather am genuinely curious how many characters is needed to execute even the simplest at

  • how to prevent SQL Injection 2011-01-26

    I am using stored procedures. In order to save time, I made some generic procedures that uses dynamic sqlin order to update. Such generic procedure is: CREATE PROCEDURE [dbo].[SetField] @company_id uniqueidentifier, @id bigint, @field_code nvarchar(5

  • prevent sql injection 2011-07-07

    Is there a way to prevent sql injection by using stored procedures? I have a sql query as select column name from table where field ='@value' cmd.parameters.add('@value', value); I am using parameterized queries with least privileges. How can i write

Copyright (C), All Rights Reserved.

processed in 0.168 (s). 11 q(s)