Recently I was assigned to a project and I see this in the controller:
if ($this->getRequest()->isPost()){
$escapar = new Escaper('utf-8');
$consulta = $this->getRequest()->getPost();
$nombreComercial = $escapar->escapeHtml($consulta['nombreComercial']);
$razonSocial=$escapar->escapeHtml($consulta['razonSocial']);
$rfc = $escapar->escapeHtml($consulta['rfc']);
$estado = $escapar->escapeHtml($consulta['estado']);
$municipio = $escapar->escapeHtml($consulta['municipio']);
$sectorprimario = $escapar->escapeHtml($consulta['sectorprimario']);
$sectorsecundario = $escapar->escapeHtml($consulta['sectorsecundario']);
$localidad = $escapar->escapeHtml($consulta['localidad']);
$telefono = $escapar->escapeHtml($consulta['telefono']);
$empresa = new Empresa($this->dbAdapter);
$empresas = $empresa->searchEmpresas($nombreComercial, $razonSocial, $rfc, $estado, $municipio, $localidad, $sectorprimario, $sectorsecundario, $telefono, $identi->id_institucion);
return $this->forward()->dispatch('Gestion\Controller\Cpanel', array('action' => 'searchpymes','nombreComercial' => $nombreComercial, 'consulta'=>$empresas));
}
Is it correct to use escapeHTML
for to get the incoming data from the POST request?