feature / quoteTrustedValueList #4144

wants to merge 2 commits into


None yet

2 participants


Created quoteTrustedValueList method in class Db/Platform/* with quoteTrustedValue.


Whats the use case here?

moura137 commented Apr 2, 2013

With ZF 2.1.4 version I received notice execption when using classes Db\Metadata\Source*.

According to the recommendations of the security alert ZF2013-03, should not use the methods, quoteValue and quoteValueList, but however the class of metadata used.

How is the method quoteTrustedValue, I thought of making the quoteTrustedValueList, and thus change the class

Here is a part of the code MysqlMetadata

$sql = 'SELECT ' . implode(', ', $isColumns)
. ' FROM ' . $p->quoteIdentifierChain(array('INFORMATION_SCHEMA','TABLES')) . 'T'

. ' LEFT JOIN ' . $p->quoteIdentifierChain(array('INFORMATION_SCHEMA','VIEWS')) . ' V'
. ' ON ' . $p->quoteIdentifierChain(array('T','TABLE_SCHEMA'))
. '  = ' . $p->quoteIdentifierChain(array('V','TABLE_SCHEMA'))
. ' AND ' . $p->quoteIdentifierChain(array('T','TABLE_NAME'))
. '  = ' . $p->quoteIdentifierChain(array('V','TABLE_NAME'))

. ' WHERE ' . $p->quoteIdentifierChain(array('T','TABLE_TYPE'))
. ' IN (' . $p->quoteValueList(array('BASE TABLE', 'VIEW')) . ')';

I plan to refactor the MysqlMetadata to not use the Platform for quoting. Since there is only one way to quote for mysql, there is no reason why these queries should not be hard coded.

moura137 commented Apr 4, 2013

This was the main reason for the creation of the method, I wanted to send PR on Metadata because I can not update my app.

Still, the method would use case the same manner as the method quoteTrustedValue.

@weierophinney weierophinney added a commit that closed this pull request Apr 16, 2013
@weierophinney weierophinney Merge branch 'hotfix/4241'
Close #4241
Fixes #4144

I don't think we should entertain this feature. quoteValue() and quoteValueList() are both considered 'effectively deprecated'. The only reason quoteValueList() was introduced was during the creation of Metadata, and one at this point I regret. Also, usage of quoteValueList() has been removed from Metadata in a recent pull request.

Thanks, but giving people more API's to quote values in different ways is not something I think we should support long term.


See #4241

@moura137 moura137 deleted the moura137:feature/quoteTrusted branch Apr 17, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment