What is the ZF2 equivalent of the quoteInto() method of ZF1?

Question

In Zend Framework 1 there is a quoteinto method for database adapter that can be used to quote sql statements.

I would like to know its equivalent in Zend Framework 2?

Answer 1

Unfortunately, the quoteInto() method was removed with the introduction of the new Zend\Db in ZF 2.0. And there is no equivalent that has exactly the same behaviour.

In ZF2 there is the quoteValue() method. This method takes one value as a parameter, and then quotes the value so you can safely put it into an SQL query as a value.

However, you could use quoteValue() to replicate the behaviour of the ZF1 quoteInto() method. You could simply take the code of the quoteInto() method from ZF1, and apply the quoteValue() method from the platform object in ZF2 to it:

// modified quoteInto() function for ZF2
function quoteInto($text, $value, $platform, $count = null)
{
    if ($count === null) {
        return str_replace('?', $platform->quoteValue($value), $text);
    } else {
        while ($count > 0) {
            if (strpos($text, '?') !== false) {
                $text = substr_replace($text, $platform->quoteValue($value), strpos($text, '?'), 1);
            }
            --$count;
        }
        return $text;
    }
}

There are some differences. ZF1 has a $type parameter, but because of the way ZF2 works with these things, the type parameter doesn't make much sense. And there is a $platform parameter, because this method has a dependency on the platform for the quoteValue() method.

Answer 2

Quoting a SQL statement is the old and potentially insecure way to do it. You should use prepared statements which have much better protection against SQL injection. I would use one of the PDO drivers listed here (depending on your database) and follow some of the examples below that which use prepared queries.