views:

600

answers:

3

I don't have any concept about ZF safety. Do I have to use Filter when operating on database? Maybe binding is enough ? How about this:

$users->update($data, 'id=1');

Should $data array be filtered somehow ? Feel free to write anything you know about the issue.

Could you give some links to good articles about safety in ZF (mainly about SQL Injection and XSS)?

+1  A: 

The same concept is valid for the Zend Framework and for every other web application/library/whatever that manipulate user data:

Always validate user input. Trust no one.

If you're expecting a string, be sure you receive a string. This can be performed using framework libraries (for example, in this very case you're using the Zend framework) or by manually implementing validation functions.

Validation must ALWAYS be performed on Server Side. Client side validation should also be present, to provide a better user experience.

In the case of Zend, please refer to the Validation page from the manual.

Roberto Aloi
A: 

Binding should prevent SQL injection but it does nothing to prevent XSS. You should always filter your data as necessary and when echoing output in the view, you should escape anything that might be dangerous.

echo $this->escape($this->foo);
smack0007
+2  A: 

Short answer
While ZF takes and provides some measures to secure your app, you should still apply the same precautions that you'd use without Zend Framework.


Regarding your code snippet, check out the Chapter on Zend_Db in the Reference Guide:

By default, the values in your data array are inserted using parameters. This reduces risk of some types of security issues. You don't need to apply escaping or quoting to values in the data array.

This doesn't mean you don't have to bother about security. For instance, for the Update method above

The third argument is a string containing an SQL expression that is used as criteria for the rows to change. The values and identifiers in this argument are not quoted or escaped. You are responsible for ensuring that any dynamic content is interpolated into this string safely. See Quoting Values and Identifiers for methods to help you do this.

Note since you are using Zend_Db_Table obviously, third argument is second argument. Internally, the table instance will delegate the call to the db adapter with the first param being the table instance's tablename.


Regarding Zend_View and XSS attack vectors:

Zend_View comes with an initial set of helper classes, most of which relate to form element generation and perform the appropriate output escaping automatically.

Again most of which does not mean all. Zend_View does provide Zend_View::escape() to help you sanitize output, but this nothing special.

Gordon