How to avoid sql injection when running a native sql query with parameter input?
e.g.
$sql = "Select * from eav_attribute where attribute_id = {$attribute_id} ";
$result = $this->_connection->fetchRow($sql);
Bryan 'BJ' Hoffpauir Jr.
1,3821 gold badge9 silver badges24 bronze badges
asked Aug 8, 2016 at 18:24
fotfs
4,37917 gold badges48 silver badges76 bronze badges
-
2Phillip's answer should cover the specific question that you asked as well serve as a good reference for any future database access topics that you might think of while customizing your magento logic. But I did want to applaud you for thinking ahead about security concerns and specifically about preventing SQL injection attempts. The Magento team has an amazing job focusing on security topics as you dig in to the CodeBase you'll find that many of the concerns that you have our address somewhere or another, but it's never a bad idea to post questions hear about security if ever you are unsure!Bryan 'BJ' Hoffpauir Jr.– Bryan 'BJ' Hoffpauir Jr.2016年08月09日 02:35:02 +00:00Commented Aug 9, 2016 at 2:35
-
2Thanks BJ - wonderful and welcoming response. When in doubt, ask! Thanks ZZpaulphilwinkle– philwinkle2016年08月09日 04:33:43 +00:00Commented Aug 9, 2016 at 4:33
1 Answer 1
The most correct answer is "don't directly query the database" - you should be using the ORM which would protect you in these situations. Especially when grabbing data out of the EAV tables.
The longer answer is that to do this safely you need to bind the query parameters to the query with Zend_Db_Select's bind rather than using a full SQL statement:
$query = $this->_connection->select()->from('eav_attribute')->where('attribute_id=?', $attributeId);
$result = $this->_connection->fetchAll($query);
For more information see answers like this: https://magento.stackexchange.com/a/103038/336
answered Aug 8, 2016 at 18:34
philwinkle
35.8k5 gold badges92 silver badges146 bronze badges
-
is there an official document to describe the API that handle the ORM?fotfs– fotfs2016年08月09日 07:41:40 +00:00Commented Aug 9, 2016 at 7:41
-
3In short it's basically just the Zend_Db_Select API from ZF1 framework.zend.com/manual/1.10/en/zend.db.select.htmlphilwinkle– philwinkle2016年08月09日 14:56:20 +00:00Commented Aug 9, 2016 at 14:56
-
1The Magento ORM is woefully lacking in documentationphilwinkle– philwinkle2016年08月09日 14:56:35 +00:00Commented Aug 9, 2016 at 14:56
Explore related questions
See similar questions with these tags.
default