I’m using CakePHP but it’s a question about the MVC pattern. I have in my form the input-text for the tags (separated by commas). To add the tags I’ve created a Tag model method that basically check if the tag exists and then add the new tag or just a new unit in the tag counter (the Tag model has these fields: id, name, slug, count).
In the controller I explode the tags field and pass one tag at a time.
The question is: where do I sanitize data? In the controller or in the model method? I think it should be in the controller because that’s where I explode but in term of reusability I think I should sanitize data in the model.
What do you think?
I’m using CakePHP but it’s a question about the MVC pattern. I have in
Share
I disagree with sanitizing the data for storage in controller, and think the best place is to do it in model, as controller should not know how the data is stored, but sanitizing needs that knowledge (e.g.
mysql_real_escape_string()for storing a MySql vs.pg_escape_string()for PostgresQL, or maybe checking for valid XML if stored in an XML file, or something else for different storage mechanisms).To prevent things like cross site scripting, do not sanitize the data before storing, as you may have some legitimate use for some html tags later on, and do that (ideally) in view or in controller.