I'm a little confused by what I should use to escape user output.
Firstly, there's the Zend_Filter_Input class which looks like it might do what I want but seems oriented towards batch filtering lots of items. At the moment I only want to filter one. Also I'm a little confused by the definition of escapers compared to filters. What's the difference between the StringTrim filter and the escaper?
Is there a better solution for escaping single elements?
分享 Filters are great on your forms so that you can clean & normalize your data before processing/storing it. You mentioned StringTrim - you've got other ones that ensure capitalization or that your input is all numeric (or alphanumeric or...). Make a note that this is to ensure consistency and sanity in your data - not for avoiding SQL injection - ZF's Database libraries handle that as a separate issue.
On the flip-side of this, you get to escape things for output. While "x < 5" or "PB&J" may be perfectly valid data to store and process in your system, they can cause problems when displayed on a web page. This is why you'd normally use htmlspecialchars() or htmlentities() - by default, Zend_View uses htmlspecialchar() when you $this->escape($foo).
分享
