-- Pádraic Brady <[EMAIL PROTECTED]> wrote (on Thursday, 22 March 2007, 03:36 AM -0700): > In agree with you Simon - if we have too many sources for input > variables, some of which check varying sources in priority it's just > another $_REQUEST situation where these values could conceivably come > from anywhere. It's better practice to use a method which selects > values from a known source on the basis if it comes from anywhere else > unexpectedly it should ring a few alarm bells for the developer. I'd > actually call it first line filtering/validation - if we know a value > should be received via POST then if the same value is retrievable from > GET it should be ignored unless it's for a valid reason.
Please remember that Zend_Controller_Request_* was built to help with routing and dispatching -- which is why getParam() pulls from a variety of sources (when determining how to route a request, the salient input could come from a variety of sources -- the path, query parameters, post parameters, etc.). It was never intended as a general-purpose object for input filtering -- that's a goal for a later iteration, which will still need to account for the variety of sources when dealing with routing. > ----- Original Message ---- > From: Simon R Jones <[EMAIL PROTECTED]> > To: Zend Mailing List <fw-general@lists.zend.com> > Sent: Thursday, March 22, 2007 8:13:19 AM > Subject: RE: [fw-general] Zend_Filter_Input... > > > You can use $this->_getParam('key', 'default'); in a Controller, because > > _getParam() use the Request->getParam() method, which tries first to > > load the param from the url, then from $_GET and after this from $_POST. > > If $this->_getParam() looks at the URL, GET and POST isn't it a potential > security issue to use it for POST variables since you don't know exactly > where your input variables are coming from? > > Seems rather similar to $_REQUEST to me which should also be avoided for > similar reasons - > http://shiflett.org/articles/ideology > > A quick look at the (nicely growing) manual it seems you can do the > following which does the job nicely for POST variables: > > $myVar = $this->getPost('name'); > > (See API docs / Zend_Controller_Request_Http for more) > > There do seem to be a lot of methods that return variables from GET, POST, > COOKIE, etc. I think it would be a good idea to mention the security > implications of depending on these in the manual.. -- Matthew Weier O'Phinney PHP Developer | [EMAIL PROTECTED] Zend - The PHP Company | http://www.zend.com/