Escaped Input Data in Zend_Framework

Question

Good day!

I want to protect my database when I save a row in the Zend_Framework:

function addController() {
....   
  if ($form->isValid($_POST)) {
   addRecods($form->getValues());
  }
}

class DbManager extends Zend_Db_Table_Abstract
...
function addRecords(array $array) {
   $row = $this->createRow();
   $row->field1 = $this->field_from_form1;
   $row->field2 = $this->field_from_form2;
   ....
   $row->save(); 
}

How can I better escape input data from array in the addRecords function?

Thank you!

Answer 1

As far as I can see, you are doing it the proper way. If your form is made using the Zend_Form you could add filters and validators on your form elements.

Every form elements I create automatically gets the StripTags (remove HTML tags) and StringTrim (remove unwanted whitespace) filters. The StripTags will need to be configured to accept specific tags and attributes if you need to allow HTML.

Over that, using validators will catch most of the malicious content. If you have radio buttons with numeric values, you can add the Digit validator. For strings the Alnum seems to give me weird results with accented (utf8) strings, but if you expect basic ASCII, it could be a runner up

Using the Zend_Form::isValid() will check if all the validators are OK and using Zend_Form::getValues() will automatically trigger all input filters. Since you are already doing this, you might just have to add proper filters and validators.

Using Zend Framework's DB tools will do the rest of building a safe query for you to avoid quotes issues

Answer 2

The Zend_Db_Table_Row::save() function, internaly uses the Zend_Db_Adapter_Abstract::insert() function to save data. Which in turn, quotes the data for you.

If you need to build your own sql queries, the the Zend_Db_Adapter classes provide several quoting functions for you to use. You can read more about them here: Quoting Values and Identifiers