i'm new to zend framework (1.12), in my model, in my zend-db-table i want to validate the input (to avoid sql injection) and i want to do this query:
`SELECT id FROM friendships WHERE (user1= $user1 AND user2= $user2 ) OR (user1= $user2 AND user2= $user1 );`
in the example i have seen they use something like $db->quoteInto('string'); but in the model what i have to do? i can't write $this->quoteInto('string')...
second question is how can i put multiple values in quoteInto function? how do you validate input in your models? (not forms)
and last question, which steps do you follow to create an apllication usign zend framework? i mean, first you plan your project, second you write model, then you write controllers and finally views ( suppose you are alone to work on it ).
ps:I ask sorry for my english, but i hope you'll understand, thanks a lot and happy new year!!
Zend_Db_Table will provide the quotes most of the time, even when you don't explicitly use select() Zend_Db usually will:
//query is broken into multiple line for more clarity and is just an example
$select = $this->getAdapter()->select();
$select->from('friendships');
$select->where('user1 = ?', $user1);
$select->where('user2 = ?', $user2);//successive where() will tie together with AND
$select->orWhere('user1 = ?', $user2);
as long as your queries use the select() object they will be quoted.
When you need to do an insert or an update where the select object is not available use quoteInto():
//in your DbTable models
$where = $this->getAdapter()->quoteInto('user1 = ?', $user1);
$result = $this->getAdapter()->update($data, $where);
second question is how can i put multiple values in quoteInto function?
the api is:
/* @param string $text The text with a placeholder.
* @param mixed $value The value to quote.
* @param string $type OPTIONAL SQL datatype
* @param integer $count OPTIONAL count of placeholders to replace
* @return string An SQL-safe quoted value placed into the original text.
*/
public function quoteInto($text, $value, $type = null, $count = null)
so multiple values are not really supported by quoteInto(), however there are other quote functions are available.
how do you validate input in your models? (not forms)
Use the same classes that you use when validating forms, use Zend_Validate and Zend_Filter. the easiest way is to use Zend_Filter_Input():
//multiple methods demonstrated
$filters = array('*'=>'StringTrim','zip'=> new Zend_Filter_Digits());
$validators = array('name'=>'Alnum');
$input = new Zend_Filter_Input($filters, $validators, $data);
if ($input->isValid()){//do some stuff}
and last question, which steps do you follow to create an apllication usign zend framework? i mean, first you plan your project, second you write model, then you write controllers and finally views ( suppose you are alone to work on it ).
It's your application, do it how you want. Not meaning to be snide but the application will let you know what it needs. Typically you will get something to display and some data to manipulate. Then just go and build the plan.