Zend Framework: Escaping form input using setFromArray()

Question

I've been looking at increasing security and stability across some of my websites and one thing I've been checking is escaping all input from users (as I should be doing).

In a lot of cases, I'm using the standard Zend_Db_Table_Row setFromArray() method, i.e.

$myForm = new Form_MyForm();
$myTable = new Model_DbTable_MyTable();

if ($this->getRequest()->isPost()) 
{
    if ($myForm->isValid($_POST))
    {
        $myRow = $myTable->createRow();
        $myRow->setFromArray($_POST);
        $myRow->save();
    }
}

This works fine, as expected. However I'm not aware if the input is escaped at any point of this code (like all input from a user should be before being put anywhere near the database). I use quoteInto() in Zend, but also use mysqli_real_escape_string() externally.

Does anyone know if the user input is escaped in the above example (ready for the DB), and if not, how do I escape it if I want to continue using the setFromArray() method?

Elzo Valugi · Accepted Answer · 2012-06-11T18:57:39.523

1

setFromArray is not filtering the variables. Use

$form->getValues() ; // not directly the $_POST

This will filter/validate according to your form rules.

Other options are filter_var manually the POST or Zend_Filter.

setFromArray() just populates the row object with values, and the save() is not doing validation checks, it does an update. So you should do the escaping/validation before that and is not automatic. you can add a filter to the form itself and then use getFiltredValues/getUnfilteredValues. The only automatic escaping I think happens when using Zend_Select and you bind parameters with ?

edited Jun 11 '12 at 18:57

answered Jun 11 '12 at 09:36

Elzo Valugi

27,240
15
95
114

Thanks Elzo, I just put that example together quickly but will make a note to use getValues() in all instances. The question still remains though: is the input from users is escaped automatically (different from validation). I understand filters can do some of this, but does this mean I have to add a filter to every input to block from injection attacks? – dKen Jun 11 '12 at 09:47
setFromArray() just populates the row object with values, and the save() is not doing validation checks, it does an update. So you should do the escaping/validation before that and is not automatic. you can add a filter to the form itself and then use getFiltredValues/getUnfilteredValues. The only automatic escaping I think happens when using Zend_Select and you bind parameters with ? – Elzo Valugi Jun 11 '12 at 11:21
Wow, thanks Elzo, marking your answer as correct for me. I'm surprised none of the examples I've seen online for saving forms to database via. setFromArray() show any data escaping. – dKen Jun 11 '12 at 12:00
the examples are made to explain only 1 point at the time and not the real complexities of the real world. – Elzo Valugi Jun 11 '12 at 12:02
@elzo your comment above is much more explanatory than your answer and should be edited into it to make it excellent :) – vascowhite Jun 11 '12 at 15:31

Zend Framework: Escaping form input using setFromArray()

1 Answers1