2

I have recently inherited an application, written using ZF, which has various fields encrypted in the db. There are many models extending Zend_Db_Table_Abstract with code similar to this example -

<?php
class Partner extends Zend_Db_Table_Abstract {

    protected $_name = 'partner', $_primary = 'id';

    public function createPartner( $mobile ){

        $id = $this->insert( array(
                        'mobile' => new Zend_Db_Expr("AES_ENCRYPT('$mobile', 'random_key')"),
                        'createdOn' => date('Y-m-d H:i:s', mktime())
                    ) );

        $res = $this->find($id);
        return $res->current();
    }

}
?>

My concern with this code is that $mobile is being passed literally into the query. What is the cleanest way to modify the way this value is being set, so that it uses quoteInto or some other method that uses place holders to parametrise the query?

vascowhite
  • 18,120
  • 9
  • 61
  • 77
user1191247
  • 10,808
  • 2
  • 22
  • 32

2 Answers2

5

How about

public function createPartner( $mobile ){

    $id = $this->insert( array(
                    'mobile' => new Zend_Db_Expr($this->getAdapter()->quoteInto("AES_ENCRYPT(?, 'random_key')", $mobile)),
                    'createdOn' => date('Y-m-d H:i:s', mktime())
                ) );

    $res = $this->find($id);
    return $res->current();
}

This seems to work but is there some problem with it that I am missing?

user1191247
  • 10,808
  • 2
  • 22
  • 32
1

use prepared statement in this case :

$mobile = new Zend_Db_Expr("AES_ENCRYPT('$mobile', 'random_key')");
$date = date('Y-m-d H:i:s', mktime());

$stmt = $this->getAdapter()->prepare('INSERT INTO'.$this->_name.'(mobile, createdOn) VALUES (?, ?)');
$stmt->execute(array($mobile, $date));
Mouna Cheikhna
  • 38,870
  • 10
  • 48
  • 69
  • Thank you for this. I am aware of this way but was hoping there may be a way of doing it without having to rewrite every method that is currently using insert(). Any other suggestions? – user1191247 Feb 28 '12 at 22:07