3

I've seen different comments all over the place, some say that zend framework automatically sanitizes post/get data but others say it doesn't.

What's the deal? I've seen that doing it in the predispatch with a foreach on getParams is the quickest way, but does anyone have any suggestions?

Ashley
  • 5,939
  • 9
  • 39
  • 82

3 Answers3

4

It does not automatically sanitize any request data. It cannot, because that requires it to know how to sanitize it, e.g. should $_GET['foo'] be string sanitized or for numbers? You have to tell it.

Whether you sanitize input manually in the respective Controller Actions or in an ActionHelper or automatically in a Controller Plugin or during bootstrap or with a mixture of these is up to you.

Use what is appropriate.

Gordon
  • 312,688
  • 75
  • 539
  • 559
4

Probably the deal is about Zend_Controller_Request vs the Zend_Db. Request data are often put into the DB.

Request object does not escape anything. You may force it to do using filters, form filters or e.g. using the reflection technique described here:

Zend_Db queries are basically escaped like in other ORM's, like in PDO.

takeshin
  • 49,108
  • 32
  • 120
  • 164
  • My system makes use of zend_db only (specifically Zend_Db_Table_Abstract), does this mean I only need to overwrite the insert method, and escape in that? – Ashley Nov 03 '10 at 13:50
  • 1
    @Ashley The easiest method is just to try. Try to post some data and save it to database. Check whether the saved data were *sanitized* as you define it. – takeshin Nov 03 '10 at 13:56
  • Zend_Db use prepared statement, so the data is escaped. – Maxence Nov 03 '10 at 14:11
  • So I actually don't need to do anything? – Ashley Nov 03 '10 at 15:30
  • 1
    @Ashley Database is not everything. You should worry about XSS, session attacks (session is a kind of database too, even if you do not use database session handler, session data should be sanitized too). – takeshin Nov 03 '10 at 15:46
1

It definitely doesn't automatically sanitise your variables for you. You could do something like foreach or use array_map depending on the context, for example:

$_POST = array_map('mysql_real_escape_string', $_POST);

Ideally though you should treat each variable on a case by case basis. Personally i make a lot of use of PHP's filter_var for filtering and sanitizing.

robjmills
  • 18,438
  • 15
  • 77
  • 121
  • 2
    For Request Input there is also `filter_input` that works directly on the request superglobals. The drawback is the lack of testability. You cannot modify the request, so you'd have to make a real Request instead of using a Mock. – Gordon Nov 03 '10 at 12:34