-1

I am using Zend's insert() function to insert records in a database table. Eg. From the database model object, I am calling Zend_Db_Table's insert() function and passing the incoming data as an array - $data, ie

 $this->insert($data);

$data is an array. The contents of $data are of mixed datatypes -integer, money, text etc.

In order to validate the incoming $data array, I wrote a function, verifyData($data). 

private function verifyData(&$data) {
    //Trim whitespace characters from incoming data.
    foreach($data as $key => $val)
    {
        $data[$key] = trim($val);
        if(empty($data[$key])) {
            unset($data[$key]);
        }
    }

    //Checking for not null table columns
    if( empty($data['id']) || empty($data['name']) || empty($data['age'])) {
        error_log("One of the required fields is missing");
        return false;
    }
    else {
        return true;
    }
}

As written above,this function :

  1. trims the incoming data and unsets any fields from the $data array, if they are empty.
  2. Then this function checks for the presence of required fields and if any required field is missing, it returns false. In this particular definition, id, name and age are required. However, there could be other non required fields as well that I want to validate. Eg $data['salary']

I need help/suggestions in adding following validations to the above function / in any other way possible:

  1. I want to check if the datatype of each element of the array is as expected/ convert it to a particular datatype before I insert the data.
  2. I want to convert/process the incoming data such that any threat of SQL injection is taken care of.

One way to take care of the datatype check is that I loop through the incoming data array and convert specific column values to their datatypes and validate. But I want to find out if there is any efficient/standard way to implement the above two points.

An example scenario is, eg on my webform, when the new person is added to db, I need to enter name, age and salary out of which name and age are compulsory. Age and salary should be entered as integers only. I want to implement this restriction on the php level and I am using Zend Framework.

Any help/suggestions would be really appreciated.

4

2 回答 2

1

一个简单的开始方法可能是使用Zend_filter_Input,它使用 Zend_Validation 和 Zend_Filter 将过滤和验证应用于数据集。

//A simple exaample of how you might use Zend_Filter_Input
private function verifyData(&$data) {
    //Add any filters you want there are many standard filters, order of filters may matter
    $filters = array(
        '*' => 'StringTrim', //trim all fields
        'id' => 'Digits'     //filter for digits on id field
    );
    //add any validators you want there are many standard validators, order of validators may matter
    $validators = array(
        '*' => 'NotEmpty' //check all fields for empty()
    );
$input = new Zend_Filter_Input($filters, $validators, $data) {
    if ($input->isValid() {
       return TRUE;
    } else {
       return FALSE
    }    
}

不用说这是一个不完整的例子,但它应该给你基本的想法。有许多不同的方法可以完成验证,找到你喜欢的一种,然后去做。

我个人最喜欢的是在输入阶段(表单、控制器......)进行基本过滤和验证,然后在将数据发送到映射器以插入数据库之前,在域模型中应用任何其他过滤或验证。

祝你好运...

标准过滤器
标准验证器

于 2012-07-05T09:56:38.543 回答
0

insert应该已经处理了您可能遇到的任何 SQL 注入问题。至于类型检查和转换,PHP 中有几种方法可用。例如,检查并转换为int

if(ctype_digit($something)) {
    $something = (int)$something;
}

这实际上取决于您需要的特定验证。

于 2012-07-04T21:52:47.837 回答