-- iceangel89 <comet2...@gmail.com> wrote (on Saturday, 06 June 2009, 03:12 AM -0700): > what do i need to know to develop an app that is relatively safe from common > security issues like SQL Injections, XSS etc etc? > > did i read some where that getRequest()->getParam('something') will be > filtered by default?
No, that is not the case, though it has been proposed. The problem with this approach is that it is difficult to know what data will be submitted -- and thus how it should be filtered. One possibility would be to allow injecting a Zend_Filter_Input object, and only allow retrieving values defined in that object. But this is a change that will happen only in 2.0. > btw, if something is filtered/escaped for SQL, i need to unescape it for > display right? is that handled by ZF by default already? > > when i output for the output in HTML, how do i "escape" to reduce the risk > of XSS? > what happens if i need to output HTML? i need to disable this behavior? The security mantra is "filter input, escape output." Within ZF, filtering in this sense is usually the domain of Zend_Validate, which allows you to be selective about what you consider valid input, while escaping is the role of a variety of components, including Zend_View, Zend_Filter, Zend_Db, and even the various server components. Escaping happens anytime you are sending data somewhere else -- back to the browser or other client, or even to the _database_. What you're actually asking about is two different types of escaping. When it comes to the database, you should be using Zend_Db_Select, the adapter's quoting mechanism, or bound parameters. Zend_Db facilitates all of this. As an example, using Zend_Db_Select's where() method, you can be certain that the values will be escaped properly: $select->where('id = ?', $id); Using either the adapter's or Zend_Db_Table's insert() or update() methods, you also get appropriate escaping of the values provided. When it comes to creating markup (HTML), use Zend_View's escape() method when outputting suspect data: <?php echo $this->escape($this->foo) ?> (In 2.0, we will make escaping the default within Zend_View, and require you to explicitly ask for raw data if you don't want escaping.) -- Matthew Weier O'Phinney Project Lead | matt...@zend.com Zend Framework | http://framework.zend.com/