2

I'm writing a custom router for Magento. Here's a code snippet of what I'm doing in the match() method:

$pathInfo = $request->getPathInfo();
$splitPath = explode('/', $pathInfo);
$category = $splitPath[1];
....
$categoriesCollection->addAttributeToFilter('url_key', array('eq' => $category));

My question is this: is it safe to assume that the underlying models will take care of any SQL injection attacks etc, or should I be worrying about preventing these problems?

Many thanks for any guidance.

Rob L
  • 45
  • 4

1 Answers1

2

I think it's pretty safe to assume the values will be escaped properly to prevent SQL injection. All parameters pass through the Zend_Db_Adapter_Abstract::quoteInto() method that should make it safe.
Is somehow you find a vulnerability in this, then the issue is with Zend Framework, not Magento itself.

Marius
  • 197,939
  • 53
  • 422
  • 830