问题
I don't really want to call the Zend filter in my code after every getRequest->getParam('x') if I don't have to. Is there a lazy way of filtering everything inside getRequest magically?
Edit: When I say filter, I mean, escapting tags, cleaning out the XSS, and escaping any sql escape characters.
i.e:
$myVar = $this->getRequest()->getParam('x');
filter the variable, escape sql stuf... etc
What's the standard? How are you doing it?
回答1:
There are a few ways to deal with your situation.
First of all, you can get all params at once:
$params = $this->_request->getParams(); //_request is equivalent to getRequest()
So a lazy way to filter all your params would be to use the ***** when declaring your filters, which means all fields, and would look something like:
$filters = array('*' => array('StringTrim','HtmlEntities','StripTags'));
$input = new Zend_Filter_Input($filters,$validators,$params);
if($input->isValid()) {
//blah blah blah
}
You should read more about the request object, as well as filters, input filters and validators.
回答2:
The only way is to do it every way.
use
Zend_Filter_Input(as noted above by karim79) to filter things to how they should be stored or looked up by (stripping tags withStripTags, casting toInt,StringTrim, etc), validating where validation needed - but not htmlentities since that should probably be done on output to avoid complications in db search, etc. Fields should be individually flitered/validated in most cases.use parameterized queries (
Zend_Db_Selectwith ? placeholders) always, or at least use the db escape functionsescape all output (
Zend_View_Helper_Escape->$this->escape()) as necessary.
回答3:
karim79's answer covers grabbing the params in one array.
Generally you shouldn't need Zend_Filter on a per request basis to clean up data.
To prevent XSS you should escape data output in a view:
$this->escape($someUserSuppliedData)
and when dealing with Zend_Db some methods such as insert and update will quote data for you. When constructing queries manually you can use the Zend_Db functions like quote
回答4:
Maybe he is looking for a way to overload the getRequest() method and then filter inside the new created method the request object.
Check out: http://framework.zend.com/manual/en/zend.controller.plugins.html
Then you can just use the Zend_Filter class or create your own filter class overloading the above..
来源:https://stackoverflow.com/questions/865649/is-there-a-way-to-auto-filter-the-getrequest-params-in-zend