0

I am trying to ensure we sanitize user input in our web app by filtering user input (blacklisting user data such as tags etc). Basically, Zend suggests that this be done specifically by the developer wherever one deems it as a requirement, so if Page A has a form, the filtering should be done in it's pageAaction() after the form data has been retrieved. All form data in my app is retrieved like this:

$this->_request->getParams(); 
$this->_request->getParam('specificParamName'); // to return specific param

Well, in my web app everything user inputs needs to be sanitized against the blacklisted fields. I want to obviously have my code centralized in one place rather than compare against the blacklist for each and every form. My understanding is that this should/must be done in the getParams() or getParam() method for the _request object since this is where we always retrieve form data from.

If yes, how can I do the same? I do not want to touch the core Zend class and add my own modifications to it.

If not, what is the best strategy to centralize our code?

Disclaimer: We are not using Zend forms, and are instead custom writing our own forms

meshy
  • 8,470
  • 9
  • 51
  • 73
Parijat Kalia
  • 4,929
  • 10
  • 50
  • 77
  • Just create a base form object that applies your filter to all fields. Then have your forms extend it – Phil Apr 17 '13 at 01:37
  • I should have stated this in my question but we are not using Zend forms (unfortunately I don't make this decision) – Parijat Kalia Apr 17 '13 at 17:04

3 Answers3

4

You can extent the controller class to implement a custom function to sanitize the inputs 

    class UserController extends Custom_Controller_Abstract
    {

        $user = $this->getSafeParam('userid');
    }

in library/custom/controller/Abstract.php

    class Custom_Controller_Abstract extends Zend_Controller_Action
    {



        public function getSafeParam($paramName)
        {
            return sanitize($this->getRequest()->getParam($key));
        }

        protected function sanitize($value)
        {
            return $value;
        }
    }
Nandakumar V
  • 4,317
  • 4
  • 27
  • 47
0

Using getParams or getParam won't sanitise your data from a form, you should instead use $form->getData($post) or $form->getValidData($post).

However, I asked this question a while back too zend framework sanitizing data, and there were some good answers in there - one of which states NOT to do as you wish (and as I did).

Community
  • 1
  • 1
Ashley
  • 5,939
  • 9
  • 39
  • 82
  • thanks @Ashley, but unfortunately our product uses Smarty templates, hence the Zend forms cannot be used. We definitely need a workaround – Parijat Kalia Apr 17 '13 at 16:46
0

Zend makes us perform our own sanitation of data because the requirements change so much from field to field.

You are apparently not using Zend_Form to build you form or you would use the standard filters and validators included with Zend_Form.

You do have access to the same validators and filters Zend_Form uses when not using Zend_form. These are available when you use Zend_Filter_Input.

Zend_Filter_Input is designed specifically to filter and validate information contained in an assiciated array like the ones supplied buy a $_GET or a $_POST array.

Basic usage is all in the controller/action:

$filters = array(
    //month is the array key, Digits is the name of the filter class
    'month'   => 'Digits',
    //account is the array key, Digits is the name of the filter class
    'account' => 'StringTrim'
);

$validators = array(
    //account is the array key, Digits is the name of the validator class
    'account' => 'Alpha',
    //* is a valid wildcard for validators and filters
    '*' => 'NotEmpty'
);

$data = $this->getRequest()->getPost();

//everything in the constructor
$input = new Zend_Filter_Input($filters, $validators, $data);

//or
$input = new Zend_Filter_Input($filters, $validators);
$input->setData($data);

There is a lot more that can be done with filters and validators, check out Zend_Filter_Input for more info.

RockyFord
  • 8,529
  • 1
  • 15
  • 21
  • thanks @RockyFord. Yes we are not using Zend forms so I guess I must use Zend_Filter_Input. In your example, it requires that I apply Zend_Filter_Input in each and every controller where I am retrieving user data from a form. Which is fine when it is validation that is unique to each form, in my case, I am looking to simply check if the form has blacklisted words in it, and this applies commonly across all forms. So I want a central location rather than repeatedly apply this to all controllers – Parijat Kalia Apr 17 '13 at 16:58
  • so build that functionality into a service model or plugin of some type. I only supplied a basic example of the method, how you use it is up to you. You also may wish to use your black list as presanitation using javascript and then do a more thorough sanitation later in the application. – RockyFord Apr 18 '13 at 09:03