tags:

views:

42

answers:

1
Q: 

How to filter and validate user input in Zend Framework

Hi,

on my website I have a comment section. I want to filter and validate the input before I store it in my database. If there are any invalid chars in the input the user gets the notice that his input is invalid.

My question, which chars are not allowed? e.g. I want to avoid sql injections

Tags are not allowed. How do I check that?

+1  A: 

If you are using Zend_Db and parameterised queries (i.e.: $adapter->insert($tableName, array('param' => 'value'))) then it will automagically escape everything for you.

If however you want to further validate the user input, have a look at Zend_Validate http://framework.zend.com/manual/en/zend.validate.html and Zend_Filter http://framework.zend.com/manual/en/zend.filter.html

Also, if by "tags" you mean HTML tags, I wouldn't do anything to those on input but do make sure you properly escape / strip them on output (have a look at http://uk2.php.net/htmlspecialchars)

If you want to display an error message if the input contains HTML tags, and assuming $comment is the comment body, you could try:

if(strip_tags($comment) !== $comment) {
    // It seems it contained some html tags
}
Andrei Serdeliuc  2010-08-29 07:39:27
thanks, I escape things on output already. but why should I allow the user to input html tags. I want an error message to be displayed that the input is invalid
ArtWorkAD  2010-08-29 07:52:12
altered the answer with an example on how to show an error message if it contains html tags. I'm not sure what the context of the comment is, but it's generally harmless to allow but escape html tags. For example, if you were running a website about web development, maybe the commenter will include HTML tags as an example.
Andrei Serdeliuc  2010-08-29 08:09:28

related questions

Zend framework; Getting controller to use different viewer.
Zend Framework - Is there a script to index static content from Views?
How to Use Same Models in Different Modules in Zend Framework?
Call to a member function on a non-object
Automatically joining tables without breaking default behaviour in Zend Framework
Emulate MySQL LIMIT clause in Microsoft SQL Server 2000
Zend Framework fetchAll
MVC data design problem with Zend framework.
Custom Filters/Validators in Zend Framework
I'm confused about something in the Zend Framework.
How to generate pdf files _with_ utf-8 multibyte characters using Zend Framework
URL segment to action method parameter in Zend Framework
Create cronjob with Zend Framework
Route-problem regarding Url-encoded Umlauts (using the Zend-framework)
In need for a site that explains how to use PHPUnit
How can I initialize Zend_Form_Element_Select with a config array?
Zend Framework - ErrorHandler does not seem to be working as expected.
Zend Framework Select Operator Precedence
Zend Framework or CakePHP?
How do I use PHPUnit with Zend Framework?
ASP.NET MVC versus the Zeitgeist
Smarty integration into the Code Igniter framework.
Failed to load Zend/Loader.php. Trying to work out why?
Using Zend Framework and setting a Zend_Form_Element form field to be required, how do I change the validator used to ensure that the element is not blank
Can you recommend a good book on zend framework.