Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m a little confused by what I should use to escape user output.
Firstly, there’s the Zend_Filter_Input class which looks like it might do what I want but seems oriented towards batch filtering lots of items. At the moment I only want to filter one. Also I’m a little confused by the definition of escapers compared to filters. What’s the difference between the StringTrim filter and the escaper?
Is there a better solution for escaping single elements?
Filters are great on your forms so that you can clean & normalize your data before processing/storing it. You mentioned StringTrim – you’ve got other ones that ensure capitalization or that your input is all numeric (or alphanumeric or…). Make a note that this is to ensure consistency and sanity in your data – not for avoiding SQL injection – ZF’s Database libraries handle that as a separate issue.
On the flip-side of this, you get to escape things for output. While ‘x < 5’ or ‘PB&J’ may be perfectly valid data to store and process in your system, they can cause problems when displayed on a web page. This is why you’d normally use
htmlspecialchars()orhtmlentities()– by default, Zend_View uses htmlspecialchar() when you$this->escape($foo).