Using this framework:
http://stefangabos.ro/php-libraries/zebra-database/
The author says:
"It encourages developers to write maintainable code and provides a better default security layer by encouraging the use of prepared statements, where parameters are automatically escaped."
The documentation shows an example of an Insert as:
$db->insert(
'table',
array(
'column1' => 'value1',
'column2' => 'value2',
));
The framework code that gets run is:
function insert($table, $columns, $ignore = false, $highlight = false)
{
// enclose the column names in grave accents
$cols = '`' . implode('`,`', array_keys($columns)) . '`';
// parameter markers for escaping values later on
$values = rtrim(str_repeat('?,', count($columns)), ',');
// run the query
$this->query('
INSERT' . ($ignore ? ' IGNORE' : '') . ' INTO
' . $table . '
(' . $cols . ')
VALUES
(' . $values . ')'
, array_values($columns), false, $highlight);
// return true if query was executed successfully
if ($this->last_result) return true;
return false;
}
The question is:
Is the example secure against SQL injection or do I need to write it differently?
Thank you! Mark