0

When I set up an auth adapter, to prevent sql injection, do I need to filter or process the user input before giving it to the setIdentity and setCredential methods?

This is my code. I use the unprocessed post data from $request->getPost('username') and feed it right into setIdentity() and setCredential(). Is this insecure? I've seen most blogging examples do this without doing anything else, but that could be bad practice. Do setIdentity() and setCredential() handle the input correctly when adding the data to the query?

$request = $this->getRequest();
$adapter->setIdentity($request->getPost('username'))
$adapter->setCredential($request->getPost('password'));
samquo
  • 757
  • 7
  • 21
  • 1
    When you use PDO prepared statements, the SQL injection protection is handled automatically. You better worry about XSS or session security here. – takeshin Dec 08 '10 at 16:03

3 Answers3

3

If you look into the AuthAdapterClass you will see this method for building the query:

protected function _authenticateCreateSelect() {
// other code
//..
$credentialExpression = new Zend_Db_Expr(
            '(CASE WHEN ' .
            $this->_zendDb->quoteInto(
                $this->_zendDb->quoteIdentifier($this->_credentialColumn, true)
                . ' = ' . $this->_credentialTreatment, $this->_credential
                )
            . ' THEN 1 ELSE 0 END) AS '
            . $this->_zendDb->quoteIdentifier(
                $this->_zendDb->foldCase('zend_auth_credential_match')
                )
            );
}

They are using quoteInto so from my opinion no additional escaping is necessary.

opHASnoNAME
  • 20,224
  • 26
  • 98
  • 143
0

You should look at how your SQL statements are formatted. If you have parameterized SQL like "SELECT * FROM USER WHERE username=?" then you automatically avoid the problem of SQL injection. But if you format your SQL yourself like "SELECT * FROM user WHERE username='+$username+"'", then you may be vulnerable to SQL injection.

rustyx
  • 80,671
  • 25
  • 200
  • 267
0

i used to have two step validation :

  1. when you build a login form , you could have added some filters and validaters [ for examples : rules for the username to be valid email address and the password to have letters and numbers only ] and your form won't pass the user input unless its valid

  2. Zend_Auth_Db or any other Db based adapter like doctrine_adapter uses internally prepared statement which is secure :)

tawfekov
  • 5,084
  • 3
  • 28
  • 51