Filtering User Input/Output in Zend Framework

Jun 26, 2012 security zend-framework
This post is more than 18 months old. Since technology changes too rapidly, this content may be out of date (but that's not always the case). Please remember to verify any technical or programming information with the current release.

There are two areas where user input should be filtered: on display and on storage. Luckily, Zend Framework provides tools for this…

Filtering User Input in the View

In any view, the Zend View Helper escape is available. Whenever displaying user input, use it to escape and filter the output:

echo '<p>Hello ' . $this->escape($user->getName()) . '!</p>';

Filtering User Input before Persistence

The Zend Filter Zend_Filter_Input exists to filter this content. You can also add validators to it. In this case, I am posting a numeric ID called key and a string field called name.

$filters = array(
  '*'   => 'StringTrim',
  'key' => 'Digits'
);
$validators = array(
  'key' => 'Digits',
  'name'=> 'Alpha'
);
$filteredInput = new Zend_Filter_Input($filters, $validators, $_POST);

The $filteredInput variable now contains user input that has been filtered. First, the filter of StringTrim is applied to all items in the input array (see the *). The Digits filter is applied only to the key element. Then, the validators are initiated. The key item is validated as a Digit and the name item is validated as an Alpha type field.

When not using Zend_Form, be absolutely certain to filter your input in this method.

Go to All Posts