views:

381

answers:

3

I'm a little confused by what I should use to escape user output.

Firstly, there's the Zend_Filter_Input class which looks like it might do what I want but seems oriented towards batch filtering lots of items. At the moment I only want to filter one. Also I'm a little confused by the definition of escapers compared to filters. What's the difference between the StringTrim filter and the escaper?

Is there a better solution for escaping single elements?

A: 

Use htmlspecialchars()?

If this is not what you want, please specify what you mean by "escape user output".

gnud
+4  A: 

Filters are great on your forms so that you can clean & normalize your data before processing/storing it. You mentioned StringTrim - you've got other ones that ensure capitalization or that your input is all numeric (or alphanumeric or...). Make a note that this is to ensure consistency and sanity in your data - not for avoiding SQL injection - ZF's Database libraries handle that as a separate issue.

On the flip-side of this, you get to escape things for output. While "x < 5" or "PB&J" may be perfectly valid data to store and process in your system, they can cause problems when displayed on a web page. This is why you'd normally use htmlspecialchars() or htmlentities() - by default, Zend_View uses htmlspecialchar() when you $this->escape($foo).

Sean McSomething
Thank you - I didn't know about the escape view helper.
Ross
A: 

If you are concerned about security and want to automatically escape all variables similar to how Django does then you might be interested in this article.

How to automatically escape template variables in Zend_View

ejunker