I am stuck with an ancient Zend 1 project, which we gradually want to fade into Symfony.
My colleague created an repository with the following code:
public function insert(Address $address): int
{
$sql = <<<SQL
insert into contract_request.applicant_address
(applicant_uuid, street, street_number, postcode, city)
VALUES
(
{$address->getApplicantUuid()},
'{$address->getStreet()}',
{$address->getStreetNumber()},
'{$address->getPostcode()}',
'{$address->getCity()}'
)
SQL;
$stmt = new Zend_Db_Statement_Mysqli($this->db, $sql);
$stmt->execute();
$addressId = $this->db->lastInsertId();
return (int) $addressId;
}
Which works nicely as long as no text with an apostrophe is inserted e.g. 't Hertogenbosch which can happen.
So how can I properly escape critical strings before inserting them into the db with this construct? Changing the single quote signs to double doesn't help.
I found similar questions only for select queries.