Zend 2 - is tableGateway producing safe queries from sql injection? - zend-framework2

I was trying to search for information, but so far cannot see. Also checked in the documentation but did not see.
https://framework.zend.com/manual/2.2/en/modules/zend.db.table-gateway.html
So are my queries safe? For example
$rowset = $this->tableGateway->select(['email' => $email]);

Yes it does.
You can try the following code to check if the generated SQL statement is safe.
$sql = $this->tableGateway->getSql();
$select = $sql->select()->where(array("email" => $someDirtyInputHere));
// you can execute the query using $this->tableGateway->selectWith($select);
// output query
echo $sql->getSqlStringForSqlObject($select);
exit;

Related

Executing simple query issue in Zend 2

I want to execute two queries in zend 2 :
This is the content of my model file:
$email = $getData['login_email'];
$password = $getData['login_password'];
$select = $this->adapter->query ("select count(*) as counter from users where email = '$email' and password = '".md5($password)."'");
$results = $select->execute();
if ($results->current()['counter'] == 1 ){
// $update_user = $this->adapter->query("UPDATE users SET session_id = '".$session_id."' WHERE email = '".$email."'");
try {
$update_user = $this->adapter->query("select * from users");
} catch (\Exception $e) {
\Zend\Debug\Debug::dump($e->__toString()); exit;
}
$update_session = $update_user->execute();
For some reason if i remove one random query, the another one will be executed. I know it is weird but i believe there is a rational answer to it. The result of the try catch part is:
I did not write it wrong the query. AS you can see I tried a simple select query and i got the same result. Actually I have no idea what is wrong this. Please help with this, I'm looking up for an answer on the internet during the last 5-6 days and I found nothing. If you want me to provide any more information, please ask. THX
As this answer suggests, this is an issue with the mysqli driver using unbuffered queries by default.
To fix this, you have to buffer the result of the first query before running the next one. With ZF2, the Result interface has a buffer() method to achieve this :
$results = $select->execute();
$results->buffer();

Zend framework 2 CSV data as an array or string

I am still very new to Zend and running into some issues on exporting my data to a CSV.
I found a great resource that explains the headers and download part here however I am running into issues when trying to export the actual data.
If I create a variable like $content = "test" the export works fine using the code above.
However when I duplicate my indexAction code, make some changes, and bring it into my downloadAction, I am getting issues that I believe are due to my content being returned as an Object rather than an array or string.
My Module is grabbing the SQL by using:
public function fetchAllMembers($order = null , $order_by = null, $selectwhere = null) {
$session = new SessionContainer('logggedin_user');
$sql = new Sql($this->adapter);
$select = new Select();
$select->from(array('u' => 'tbl_all_data'));
if ($selectwhere != null){
$select->where($selectwhere);
}
$select->order($order_by . ' ' . $order);
$selectString = $sql->getSqlStringForSqlObject($select);
$results = $this->adapter->query($selectString, Adapter::QUERY_MODE_EXECUTE);
$results->buffer();
return $results;
}
and my Controller is calling that SQL by using:
$content = $modulesTable->fetchAllMembers($order, $order_by, $where);
Any help would be greatly appreciated, and I don't need anyone to write the code for me just help with pointoing me in the right direction.
$this->adapter->query returns a Zend\Db\ResultSet object. So you need to call $results = $results->toArray(); to send an array.
Also you need to loop through the array and echo it out in your view file.
Results, returned by adapter are ResultSet type. I guess you need to call at least
current()
method to grab some data. And they will be of array type, so, again you need to do something with them.
toArray() is often used to quickly get data.
More sophisticated way to get data, is to use next() method with current():
$firstThing = $result->current();
$result->next();
$result->next();
$thirdThing = $result->current();
It's just an example, but it can be useful in some cases.

No results returns while using 'where' clause in zend framework 2

I am using a simple select object to list all the parent categories as follows.
$select = $this->sql->select();
$select -> where(array('cat_parent_id'=>2));
$statement = $this->sql->prepareStatementForSqlObject($select);
$result = $statement->execute();
When I run the above code, I donot have an error message but I always have a null result. If I use the where clause without the array params then I have the good results.
$select -> where('cat_parent_id=2');
To learn more, I tried to get the sql string using the code below,
$select = $this->sql->select();
$select -> where(array('cat_parent_id'=>2));
$sqlstring = $this->sql->getSqlStringForSqlObject($select);
I have a warning.
Notice: Attempting to quote a value in Zend\Db\Adapter\Platform\Mysql without extension/driver support can introduce security vulnerabilities in a production environment. in D:\wamp\www\shops\vendor\ZF2\library\Zend\Db\Adapter\Platform\Mysql.php on line 128
I really would like to use the array method inside the where clause. Any help would be very appreciated. :)

How to simulate "not in" with a join in Zend framework?

I have two relation table "demande" and "reponse" which are linked and I'd like to retrieve all the lines of "demande" not in "reponse".
I try this with a join :
$select = new Select ();
$select->columns(array("id"));
$select->from ("demande" );
$select->where->lessThan("dateArretMarche",$stringDate );
$select->join(
array("rep" => 'reponse'), // table name,
'demande.id = rep.id_demande',array(),
$select::JOIN_RIGHT);
$select ->where->isNull("rep.id");//<== it doesn't work
But I can't select "null" lines".
I guess it's possible with "not in" but Zend Framework provide only "in" predicate.
Thank all.
What if you just include it in the query? Like this:
$select ->where('rep.id IS NULL');
If you want to use isNull condition.So do you need to use with Predicate.Try with following code.
$select->where(array(
new \Zend\Db\Sql\Predicate\IsNotNull("rep.id")
)
);

In ZF2, Getting last insert id after insertion without using TableGateway

I need last insert id after executing a insert statement. Now I am not using TableGateway so $this->lastInsertValue is not available to me. What other options are available if I need to use Insert statement through Sql Object not a Table Gateway Object.
$objInsert = new Insert('name_master');
$objInsert->values(array( 'username' => $name,
'price' => 0,
'is_approval_needed' => 'n'
));
$sql = new Sql($this->adapter);
$result = $sql->prepareStatementForSqlObject($objInsert)->execute()->getAffectedRows();
As I need to execute multiple insert statements in different tables using last insert id of previous insert, Now I want to do it in a single method of my Model.
The Zend\Db\Adapter\Driver\DriverInterface specifies a getLastGeneratedValue() method, so presumably this should work...
$lastId = $this->adapter->getDriver()->getLastGeneratedValue();
$dbAdapter = $this->tableGateway->adapter;
$lastId = $dbAdapter->getDriver()->getConnection()->getLastGeneratedValue();

Resources