2

I have recently inherited an application, written using ZF, which has various fields encrypted in the db. There are many models extending Zend_Db_Table_Abstract with code similar to this example -

<?php
class Partner extends Zend_Db_Table_Abstract {

    protected $_name = 'partner', $_primary = 'id';

    public function createPartner( $mobile ){

        $id = $this->insert( array(
                        'mobile' => new Zend_Db_Expr("AES_ENCRYPT('$mobile', 'random_key')"),
                        'createdOn' => date('Y-m-d H:i:s', mktime())
                    ) );

        $res = $this->find($id);
        return $res->current();
    }

}
?>

My concern with this code is that $mobile is being passed literally into the query. What is the cleanest way to modify the way this value is being set, so that it uses quoteInto or some other method that uses place holders to parametrise the query?

Improve this question

2 Answers 2

Reset to default
5

How about

public function createPartner( $mobile ){

    $id = $this->insert( array(
                    'mobile' => new Zend_Db_Expr($this->getAdapter()->quoteInto("AES_ENCRYPT(?, 'random_key')", $mobile)),
                    'createdOn' => date('Y-m-d H:i:s', mktime())
                ) );

    $res = $this->find($id);
    return $res->current();
}

This seems to work but is there some problem with it that I am missing?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

use prepared statement in this case :

$mobile = new Zend_Db_Expr("AES_ENCRYPT('$mobile', 'random_key')");
$date = date('Y-m-d H:i:s', mktime());

$stmt = $this->getAdapter()->prepare('INSERT INTO'.$this->_name.'(mobile, createdOn) VALUES (?, ?)');
$stmt->execute(array($mobile, $date));
Improve this answer

1 Comment

Thank you for this. I am aware of this way but was hoping there may be a way of doing it without having to rewrite every method that is currently using insert(). Any other suggestions?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.