Zend Framework: Escaping form input using setFromArray()

I've been looking at increasing security and stability across some of my websites and one thing I've been checking is escaping all input from users (as I should be doing).

In a lot of cases, I'm using the standard Zend_Db_Table_Row setFromArray() method, i.e.

$myForm = new Form_MyForm();
$myTable = new Model_DbTable_MyTable();

if ($this->getRequest()->isPost()) 
{
    if ($myForm->isValid($_POST))
    {
        $myRow = $myTable->createRow();
        $myRow->setFromArray($_POST);
        $myRow->save();
    }
}  

This works fine, as expected. However I'm not aware if the input is escaped at any point of this code (like all input from a user should be before being put anywhere near the database). I use quoteInto() in Zend, but also use mysqli_real_escape_string() externally.

Does anyone know if the user input is escaped in the above example (ready for the DB), and if not, how do I escape it if I want to continue using the setFromArray() method?

Answers


setFromArray is not filtering the variables. Use

$form->getValues() ; // not directly the $_POST

This will filter/validate according to your form rules.

Other options are filter_var manually the POST or Zend_Filter.

setFromArray() just populates the row object with values, and the save() is not doing validation checks, it does an update. So you should do the escaping/validation before that and is not automatic. you can add a filter to the form itself and then use getFiltredValues/getUnfilteredValues. The only automatic escaping I think happens when using Zend_Select and you bind parameters with ?


Need Your Help

HLSL heightmap terrain normal recalculation for diffuse light

shader hlsl terrain normals heightmap

I need to apply diffuse light to heightmap based terrain, but I can't figure out how to recalculate normals.

Including JNA code in project - compile error

java windows jna

I am working with sample code from another StackOverflow post - Java - How to take a screenshot fast, but I'm having some issues.