Escaping User Input

Some users are not interested in using the application for its intended purpose; they want to steal user information using the many methods available to them. To limit these possibilities, you can build your own escape() method to clean incoming user data. You will typically use the strip_tags() function, the htmlentities() function, or a combination of these functions—along with your own filtering.

Clean input must be a high priority when working with any application in which the user enters data for you to save or manipulate in the back end. Zend Framework added a Zend_View method, escape(), which allows you to not only clean user input but also overwrite default filtering and create your own escape() method.

The escape() method by default acts as a wrapper to the internal PHP function htmlspecialchars(). The htmlspecialchars() PHP function replaces <, >, &, ", and ' with their respective HTML encoded equivalents: &amp, &lt, &gt, &quot, and &#039. For example, consider the following string:

<tag>PHP & Zend Framework</tag>

After passing the string into htmlspecialchars(), it would become the following:

&lt;tag&gt;PHP &amp; Zend Framework&lt;/tag&gt;

Listing 4-20 shows how to use the method in the view.

Listing4-20. remove.phtml

<?php echo $this->doctype('XHTML1_STRICT'); ?>

<html xmlns="" xml:lang="en" lang="en">

<?php echo $this->headTitle(' - Remove Artist'); ?> </head> <body>

<?php echo $this->render('includes/header.phtml') ?> <h3>Remove Artist </h3>

<td>Artists - <i>Total Artists (<?php echo $this->totalArtist; ?>)</i></td> </tr>

<?php foreach($this->artists as $artist){ ?> <tr> <td>

<input type= "checkbox" value="<?php echo $this->escape($artist['name'])?>" name= "remove" /><?php echo $this->escape($artist['name'])?> <?php if($this->escape($artist['rating']) == 5){ ?> * <?php } ?> </td> </tr>

<tr><td><input type="submit" value="Remove"/></td></tr> </table>

Because the controller creates a Zend_View object by default, which can be accessed from the view using $this, you can also use the escape() function in the view with $this->escape(). This same process can be applied to the controller as well to escape any incoming user data (see Listing 4-21).

Listing 4-21. ArtistController.php public function saveArtistAction(){

//Initialize variables

$artistName = $this->_request->getPost('artistName'); $genre = $this->_request->getPost('genre'); $rating = $this->_request->getPost('rating'); $isFav = $this->_request->getPost('isFav');

//Clean up inputs

$artistName = $this->view->escape($artistName); $genre = $this->view->escape($genre); $rating = $this->view->escape($rating); $isFav = $this->view->escape($isFav);

//Save the input

Listing 4-21 updates the existing ArtistController.php file. You add the escape() method to escape all incoming data from the submitted add new artist form. The updated saveArtistAction() initializes the $artistName, $genre, $rating, and whether the artist is a favorite using the request object's getPost() method Finally, the input is saved, and a thank you page displays.

Because the default functionality of escape() is simply to convert the special characters, it provides you with some form of protection—but not enough. You want to extend the functionality of escape() and add a few more methods to clean the input.

Was this article helpful?

0 0

Post a comment