Zend_Filter_Input
provides facilities to promote a structured approach to input
data filtering. It serves multiple purposes because it caters to the needs of three different
groups of people:
Developers
Although filtering input can never be as easy as doing nothing, developers need to ensure the integrity of their data without adding unnecessary complexity to their code.
Managers
Managers of all types who need to maintain control over a large group of developers can enforce a structured approach to input filtering by restricting or eliminating access to raw input.
Auditors
Those who audit an application's code need to quickly and reliably identify when and where raw input is used by a developer. The characteristics that promote code clarity also aid auditors by providing a clear distinction among the different approaches to input filtering.
There are a variety of approaches to input filtering, and there are also a variety of methods that PHP developers can use. Whitelist filtering, blacklist filtering, regular expressions, conditional statements, and native PHP functions are just a few examples of the input filtering potpourri.
In order to provide a structured approach to input filtering, by default,
Zend_Filter_Input
attempts to enforce controlled access to input by setting the
reference to the source data array to null
.
In the default (strict) approach, a single argument is passed to the constructor - an array of data to filter. Unfiltered data may only be accessed through the getRaw()
method:
<?php // $_POST['email'] === 'webmaster@example.com' // Filter the $_POST data array require_once 'Zend/Filter/Input.php'; $filterPost = new Zend_Filter_Input($_POST); // $_POST is now null echo null === $_POST ? 'yes' : 'no'; // prints 'yes' // Get the raw e-mail value echo $filterPost->getRaw('email'); // prints 'webmaster@example.com'
Zend_Filter_Input
sets the array that is passed ($_POST
) to
null
, so direct access is no longer possible. (The raw data are only available
through the getRaw()
method, which is much easier to monitor and/or avoid
altogether.)
In the optional (non-strict) approach, false
is passed as the second argument
to the constructor:
<?php // $_POST['email'] === 'webmaster@example.com' // Filter the $_POST data array require_once 'Zend/Filter/Input.php'; $filterPost = new Zend_Filter_Input($_POST, false); // $_POST remains not null echo null === $_POST ? 'yes' : 'no'; // prints 'no' // Get the raw e-mail value echo $filterPost->getRaw('email'); // prints 'webmaster@example.com'
The use of the filter is exactly the same, but Zend_Filter_Input
does not set
the original array ($_POST
) to null
, so developers can
still access it directly. This approach is discouraged in favor of the strict approach.
Zend_Filter_Input
is designed primarily with arrays in mind. Many sources of
input are already covered by PHP's superglobal arrays ($_GET
,
$_POST
, $_COOKIE
, etc.), and arrays are a common construct
used to store input from other sources. If you need to filter a scalar, see
Chapter 11, Zend_Filter.