How to quote column names with Zend_Db?

Question

I am using key as a column name in a MySQL table.

Since this is reserved, it needs to be escaped properly to be used in a query:

… WHERE `key` = 'test'

Manually this is no problem, but I am using the Zend Framework and want to have it handle the escape correctly, like this:

$table = new Application_Model_ATable();
$table->fetchRow ( $table->select()->where('key = ?','test') );

So the question is:

How to quote/escape column names with Zend_Db_Table?

Answer 1

avoiding MySQL injections with the Zend_Db class

The guy explains it here actually but ill just pull out the quote quickly...

Any other part of that expression that needs to be quoted or delimited is your responsibility. E.g., if you interpolate any PHP variables into the expression, safety is your responsibility. If you have column names that are SQL keywords, you need to delimit them yourself with quoteIdentifier(). Example:

$select->where($db->quoteIdentifier('order').'=?', $myVariable)

Hope this helps!!

Answer 2

try something like:

$table = new Application_Model_ATable();
$where = $table->getAdapter()->quoteInto('key = ?', 'test');
$table->fetchRow ( $where );

*--excerpt from Zend_Db_Table reference--*
Note The values and identifiers in the SQL expression are not quoted for you. If you have values or identifiers that require quoting, you are responsible for doing this. Use the quote(), quoteInto(), and quoteIdentifier() methods of the database adapter.

Answer 3

One must quote column names when uppercase letters have been used. It is usefull to quote those names with $db->quoteIdentifier($columnName) when you plan to switch databese adapter in the future.