Menu
I don't have any concept about ZF safety. Do I have to use Filter when operating on database? Maybe binding is enough ? How about this:
$users->update($data, 'id=1');
Should $data array be filtered somehow ? Feel free to write anything you know about the issue.
Could you give some links to good articles about safety in ZF (mainly about SQL Injection and XSS)?
639
Short answer
While ZF takes and provides some measures to secure your app, you should still apply the same precautions that you'd use without Zend Framework.
Regarding your code snippet, check out the Chapter on Zend_Db in the Reference Guide:
By default, the values in your data array are inserted using parameters. This reduces risk of some types of security issues. You don't need to apply escaping or quoting to values in the data array.
This doesn't mean you don't have to bother about security. For instance, for the Update method above
The third argument is a string containing an SQL expression that is used as criteria for the rows to change. The values and identifiers in this argument are not quoted or escaped. You are responsible for ensuring that any dynamic content is interpolated into this string safely. See Quoting Values and Identifiers for methods to help you do this.
Note since you are using Zend_Db_Table obviously, third argument is second argument. Internally, the table instance will delegate the call to the db adapter with the first param being the table instance's tablename.
Regarding Zend_View and XSS attack vectors:
Zend_View comes with an initial set of helper classes, most of which relate to form element generation and perform the appropriate output escaping automatically.
Again most of which does not mean all. Zend_View does provide Zend_View::escape() to help you sanitize output, but this nothing special.
80
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
