Reputation: 81
Zend_Form and data escaping
Do i have to use any sort of escaping functions like mysqli_real_escape_string() using Zend_Form when getting data from form's inputs prior to inserting data in db or is the data automatically escaped by zend for me?
Upvotes: 1
Views: 71
Answers (1)
Reputation: 1052
When you get data for your Zend_Form instance, you can use 2 methods:
$form->getValues();
This one gives you filtered values.
$form->getUnfilteredValues();
This one will give you raw values inputted by user.
In Zend Framework, you don't have escaping by default, instead you should worry about it yourself.
Good rule for that would be "Filter input, escape output". If there is a chance of getting XSS or other type of vulnerabilities.
Use prepared statements to protect from injections and escape your data in views to protect from XSS.
Upvotes: 1
Related Questions
- Diasble escaping in Zend 2 Forms
- Zend sanitizing input
- Disable escape in Zend Form Element Submit
- Zend 2 Form View Helper incoherent escaping
- Disable Escape strings in Zend_Form_Element_Text elements
- Zend Framework: Escaping form input using setFromArray()
- Escaped Input Data in Zend_Framework
- How to insert data into a Zend_Form
- How to prevent escaping on Zend Form Select : Zend Framework
- Zend_Form, setAttrib('escape',false) not working, help