I've seen different comments all over the place, some say that zend framework automatically sanitizes post/get data but others say it doesn't.
What's the deal? I've seen that doing it in the predispatch with a foreach on getParams is the quickest way, but does anyone have any suggestions?
Probably the deal is about Zend_Controller_Request vs the Zend_Db. Request data are often put into the DB.
Request object does not escape anything. You may force it to do using filters, form filters or e.g. using the reflection technique described here:
Zend_Db queries are basically escaped like in other ORM's, like in PDO.
It does not automatically sanitize any request data. It cannot, because that requires it to know how to sanitize it, e.g. should $_GET['foo'] be string sanitized or for numbers? You have to tell it.
Whether you sanitize input manually in the respective Controller Actions or in an ActionHelper or automatically in a Controller Plugin or during bootstrap or with a mixture of these is up to you.
Use what is appropriate.
It definitely doesn't automatically sanitise your variables for you. You could do something like foreach or use array_map depending on the context, for example:
$_POST = array_map('mysql_real_escape_string', $_POST);
Ideally though you should treat each variable on a case by case basis. Personally i make a lot of use of PHP's filter_var for filtering and sanitizing.
来源:https://stackoverflow.com/questions/4086852/zend-framework-sanitizing-data