ZF-6463: Binding params in where clause
Hello, There is a big problem in fetch* methods on Zend_Db_Table and update, delete methods on Zend_Db_Adapter_Abstract because the where conditions parameters are not binded, they are just escaped and replaced into the condition. Here is an example:
$myTable = new Zend_Db_Table_MyTable(); $result = $myTable->fetchAll(array('label = ?' => 'MyLabel'));
What is the query executed?
SELECT MY_TABLE.* FROM MY_TABLE WHERE (label = 'MyLabel')
Wich is wrong!! the query should be
SELECT MY_TABLE.* FROM MY_TABLE WHERE (label = ?)
and MyLabel send as parameter.
For fetch methods the problem is in Db_Table_Abstract. The '?' is just replaced using the _whereExpr() function.
For update/delete methods the problem is in Db_Adapter_Abstract.
Why this problem is so important? Because in Oracle we have a limited number of unique queries to execute and this bug will create many queries in db instead of only one.