-- Pádraic Brady <[EMAIL PROTECTED]> wrote
(on Thursday, 22 March 2007, 03:36 AM -0700):
> In agree with you Simon - if we have too many sources for input
> variables, some of which check varying sources in priority it's just
> another $_REQUEST situation where these values could conceivably come
> from anywhere. It's better practice to use a method which selects
> values from a known source on the basis if it comes from anywhere else
> unexpectedly it should ring a few alarm bells for the developer. I'd
> actually call it first line filtering/validation - if we know a value
> should be received via POST then if the same value is retrievable from
> GET it should be ignored unless it's for a valid reason.
Please remember that Zend_Controller_Request_* was built to help with
routing and dispatching -- which is why getParam() pulls from a variety
of sources (when determining how to route a request, the salient input
could come from a variety of sources -- the path, query parameters, post
parameters, etc.). It was never intended as a general-purpose object for
input filtering -- that's a goal for a later iteration, which will still
need to account for the variety of sources when dealing with routing.
> ----- Original Message ----
> From: Simon R Jones <[EMAIL PROTECTED]>
> To: Zend Mailing List <fw-general@lists.zend.com>
> Sent: Thursday, March 22, 2007 8:13:19 AM
> Subject: RE: [fw-general] Zend_Filter_Input...
>
> > You can use $this->_getParam('key', 'default'); in a Controller, because
> > _getParam() use the Request->getParam() method, which tries first to
> > load the param from the url, then from $_GET and after this from $_POST.
>
> If $this->_getParam() looks at the URL, GET and POST isn't it a potential
> security issue to use it for POST variables since you don't know exactly
> where your input variables are coming from?
>
> Seems rather similar to $_REQUEST to me which should also be avoided for
> similar reasons -
> http://shiflett.org/articles/ideology
>
> A quick look at the (nicely growing) manual it seems you can do the
> following which does the job nicely for POST variables:
>
> $myVar = $this->getPost('name');
>
> (See API docs / Zend_Controller_Request_Http for more)
>
> There do seem to be a lot of methods that return variables from GET, POST,
> COOKIE, etc. I think it would be a good idea to mention the security
> implications of depending on these in the manual..
--
Matthew Weier O'Phinney
PHP Developer | [EMAIL PROTECTED]
Zend - The PHP Company | http://www.zend.com/
