I am using zend_form to create the form that is rendered. Although there are validation rules specified in the form, it is not impossible to inject new elements into the response. Thus more filtering of $this->_request->getParams() is required.
Is there a way to delete all unvalidated input before reaching the action? I am aware that I can unset() any alien manually before processing the response, but I am looking for a more elegant solution.
EDIT:
I am looking to grab the request parameters and put them into the database using Zend_Db_Table_Abstract::insert($this->_request->getParams()). This would have worked fine since the form is validated and only validated form elements where present in the request. Since that’s not the case, by default, I’d have filter out the elements prior to doing the insert.
Wouldn’t it be easier just to pick up the fields you need in the action (after validating them with Zend_Form), and discard the rest of the parameters?
Unless you have many parameters in the request, this looks like the most secure way to me… You’ll only get the parameters you are actually expecting, and nothing else.
EDIT:
In case you need to get only the valid values using Zend_Form, would the
getValidValues()method help? See http://framework.zend.com/manual/en/zend.form.quickstart.html#zend.form.quickstart.validate. You can thenunset()all the parameters not in this list from the request. I don’t know if there is a way of doing it more elegant than this.