CODEWITHSUNDEEP
phpzend-frameworkzend-formsql-injectionzend-db
dKen
dKen

Reputation: 3127

Zend Framework: Escaping form input using setFromArray()

I've been looking at increasing security and stability across some of my websites and one thing I've been checking is escaping all input from users (as I should be doing).

In a lot of cases, I'm using the standard Zend_Db_Table_Row setFromArray() method, i.e.

$myForm = new Form_MyForm();
$myTable = new Model_DbTable_MyTable();

if ($this->getRequest()->isPost()) 
{
    if ($myForm->isValid($_POST))
    {
        $myRow = $myTable->createRow();
        $myRow->setFromArray($_POST);
        $myRow->save();
    }
}

This works fine, as expected. However I'm not aware if the input is escaped at any point of this code (like all input from a user should be before being put anywhere near the database). I use quoteInto() in Zend, but also use mysqli_real_escape_string() externally.

Does anyone know if the user input is escaped in the above example (ready for the DB), and if not, how do I escape it if I want to continue using the setFromArray() method?

Upvotes: 0

Views: 805

Answers (1)

Elzo Valugi
Elzo Valugi

Reputation: 27866

setFromArray is not filtering the variables. Use 

$form->getValues() ; // not directly the $_POST

This will filter/validate according to your form rules.

Other options are filter_var manually the POST or Zend_Filter.

setFromArray() just populates the row object with values, and the save() is not doing validation checks, it does an update. So you should do the escaping/validation before that and is not automatic. you can add a filter to the form itself and then use getFiltredValues/getUnfilteredValues. The only automatic escaping I think happens when using Zend_Select and you bind parameters with ?

Upvotes: 1

Related Questions