Quoting a value for an SQL query in ZF 2.1.4

Question

So I've upgraded to ZF 2.1.4 and I was greeted with a notice saying: Attempting to quote a value in Zend\Db\Adapter\Platform\Mysql without extension/driver support can introduce security vulnerabilities in a production environment

My dbadapter is instanciated as such:

return array(
  'service_manager' => array(
    'factories' => array(
      'Zend\Db\Adapter\Adapter' => 'Zend\Db\Adapter\AdapterServiceFactory',
    )
   ),
   'db' => array(
     'driver'         => 'pdo_mysql',
     'driver_options' => array(
       PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'"
     ),
     'dsn'            => 'mysql:dbname=test;host=192.168.1.8',
     'username'       => 'test',
     'password'       => 'test',
   )
 );

What I want to quote is the following:

$order = 'field(ce.id, ' . $this->_db->getPlatform()->quoteValueList($ids) . ')';
$select->order(new Expression($order));

How should I go about it? I was under the impression that pdo_mysql had driver support to quote values.

Answer 1

Looks like you already found your solution by adding $this->platform->setDriver($this->getDriver());. Also take a look at this:

please see the announcements and security notes that were accompanied by this release: http://framework.zend.com/security/advisory/ZF2013-03

Release notes: http://framework.zend.com/blog/2013-03-14-zend-framework-3-for-1-release-day.html