Comments on: Models In The Zend Framework – Part 2 http://www.techfounder.net/2008/05/21/models-in-the-zend-framework-part-2/ Blog about web development and Internet entrepreneurship Wed, 03 Mar 2010 01:05:40 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: Grantus Maximus Web Blog » Wheres the Model in Zend Frameworks MVC? http://www.techfounder.net/2008/05/21/models-in-the-zend-framework-part-2/comment-page-1/#comment-714 Grantus Maximus Web Blog » Wheres the Model in Zend Frameworks MVC? Fri, 05 Dec 2008 13:07:36 +0000 http://www.techfounder.net/?p=24#comment-714 [...] just about to start my next and decided to see if there is a better solution out there… The best article I’ve found was at techfounder and was proposing the second option as well and had some good [...] [...] just about to start my next and decided to see if there is a better solution out there… The best article I’ve found was at techfounder and was proposing the second option as well and had some good [...]

]]> By: Wheres the Model in Zend Frameworks MVC? | Child of the Machine http://www.techfounder.net/2008/05/21/models-in-the-zend-framework-part-2/comment-page-1/#comment-713 Wheres the Model in Zend Frameworks MVC? | Child of the Machine Fri, 05 Dec 2008 13:02:54 +0000 http://www.techfounder.net/?p=24#comment-713 [...] just about to start my next and decided to see if there is a better solution out there… The best article I’ve found was at techfounder and was proposing the second option as well and had some good examples. I’d be interested to [...] [...] just about to start my next and decided to see if there is a better solution out there… The best article I’ve found was at techfounder and was proposing the second option as well and had some good examples. I’d be interested to [...]

]]> By: Eran Galperin http://www.techfounder.net/2008/05/21/models-in-the-zend-framework-part-2/comment-page-1/#comment-80 Eran Galperin Fri, 11 Jul 2008 19:34:41 +0000 http://www.techfounder.net/?p=24#comment-80 Yes, you are absolutely correct - thanks for pointing that out :) As can be inferred, I used example code from my start-up Octabox in which I employ this solution extensively. Yes, you are absolutely correct – thanks for pointing that out :)

As can be inferred, I used example code from my start-up Octabox in which I employ this solution extensively.

]]> By: Doug http://www.techfounder.net/2008/05/21/models-in-the-zend-framework-part-2/comment-page-1/#comment-79 Doug Fri, 11 Jul 2008 15:56:33 +0000 http://www.techfounder.net/?p=24#comment-79 Hey, this was exactly what I was looking for. Coming from a Rails background I had trouble wrapping my head around how to put validation in the models. ZF's approach is so much more decoupled than Rails' model/validation mechanism. Pretty interesting. One question: The first code example is with a class named Techfounder_Db_Model, while the second class, which adds the update and insert methods, is named Octabox_Db_Model. That should be Techfounder_Db_Model too, correct? Hey, this was exactly what I was looking for. Coming from a Rails background I had trouble wrapping my head around how to put validation in the models. ZF’s approach is so much more decoupled than Rails’ model/validation mechanism. Pretty interesting. One question: The first code example is with a class named Techfounder_Db_Model, while the second class, which adds the update and insert methods, is named Octabox_Db_Model. That should be Techfounder_Db_Model too, correct?

]]> By: matthijs http://www.techfounder.net/2008/05/21/models-in-the-zend-framework-part-2/comment-page-1/#comment-31 matthijs Mon, 26 May 2008 08:58:18 +0000 http://www.techfounder.net/?p=24#comment-31 It is a pretty difficult subject (also for me). I just remembered this article http://www.webappsec.org/projects/articles/091007.shtml which explains the sql injection issue in more detail. An excellent read. And together with the examples you can test locally, it makes it obvious that it's not as simple as use function A to protect for B or C for D, but there's a lot more to think about for every query one writes. So me saying mysql_real_escape_string() is pretty bullet-proof is not entirely true .. I must also stand corrected. It is a pretty difficult subject (also for me). I just remembered this article http://www.webappsec.org/projects/articles/091007.shtml
which explains the sql injection issue in more detail. An excellent read. And together with the examples you can test locally, it makes it obvious that it’s not as simple as use function A to protect for B or C for D, but there’s a lot more to think about for every query one writes. So me saying mysql_real_escape_string() is pretty bullet-proof is not entirely true .. I must also stand corrected.

]]> By: Eran Galperin http://www.techfounder.net/2008/05/21/models-in-the-zend-framework-part-2/comment-page-1/#comment-30 Eran Galperin Mon, 26 May 2008 08:20:18 +0000 http://www.techfounder.net/?p=24#comment-30 I've been reading about SQL injection attacks recently and it appears that you might be right. It's better to use the Zend_Db intrinsic quoting functions that use the real_escape_string methods of the different adapters. I’ve been reading about SQL injection attacks recently and it appears that you might be right. It’s better to use the Zend_Db intrinsic quoting functions that use the real_escape_string methods of the different adapters.

]]> By: matthijs http://www.techfounder.net/2008/05/21/models-in-the-zend-framework-part-2/comment-page-1/#comment-29 matthijs Mon, 26 May 2008 06:45:37 +0000 http://www.techfounder.net/?p=24#comment-29 I'm no security expert either, but I'm pretty sure that's not true. Htmlentities is not the function to be used to protect against sql injection. If you want more protection against that you can also use prepared statements (using PDO for example). I'm also pretty sure that mysql_real_escape_string is bullet-proof (although in security terms you are not allowed to speak about 100% security). Htmlentities is the recommended practice to escape html to prevent XSS, but that's a whole different security problem which has nothing to do with the db. Both Chris Shiflett and Ilia Alshanetsky have both books and sites with some pretty good info on these subjects. I’m no security expert either, but I’m pretty sure that’s not true. Htmlentities is not the function to be used to protect against sql injection. If you want more protection against that you can also use prepared statements (using PDO for example). I’m also pretty sure that mysql_real_escape_string is bullet-proof (although in security terms you are not allowed to speak about 100% security).

Htmlentities is the recommended practice to escape html to prevent XSS, but that’s a whole different security problem which has nothing to do with the db.

Both Chris Shiflett and Ilia Alshanetsky have both books and sites with some pretty good info on these subjects.

]]> By: Eran Galperin http://www.techfounder.net/2008/05/21/models-in-the-zend-framework-part-2/comment-page-1/#comment-26 Eran Galperin Sat, 24 May 2008 22:37:13 +0000 http://www.techfounder.net/?p=24#comment-26 To my knowledge the mysql_real_escape function is not bullet-proof, and htmlentities provides better protection. Of course I would like to preserve the original data in its form, but better escape than suffer an attack. Again, I'm no security expert but as far as I know htmlentities is the recommended practice under PHP. To my knowledge the mysql_real_escape function is not bullet-proof, and htmlentities provides better protection. Of course I would like to preserve the original data in its form, but better escape than suffer an attack. Again, I’m no security expert but as far as I know htmlentities is the recommended practice under PHP.

]]> By: matthijs http://www.techfounder.net/2008/05/21/models-in-the-zend-framework-part-2/comment-page-1/#comment-25 matthijs Sat, 24 May 2008 21:39:49 +0000 http://www.techfounder.net/?p=24#comment-25 I understand that htmlentities is for "security" reasons. But the thing is, escaping output is context dependent. So say an ampersand &. That doesn't have to be escaped if it's inserted in a database, because in that context it does no harm. However, when it is outputted to HTML, it needs to be escaped with htmlentities to keep your HTML valid (no real security risk there, but that's just this example). The basic principle is that you want to keep your data the way it is original. using htmlentities before inserting it in the db changes the data for no reason. Because htmlentities does nothing in the context of inserting data in a db. Only when outputting data to HTML is htmlentities of use. When you insert data in a db, it needs to be escaped using a function that is useful in that context. That's mysql_real_escape_string for mysql. I understand that htmlentities is for “security” reasons. But the thing is, escaping output is context dependent. So say an ampersand &. That doesn’t have to be escaped if it’s inserted in a database, because in that context it does no harm. However, when it is outputted to HTML, it needs to be escaped with htmlentities to keep your HTML valid (no real security risk there, but that’s just this example).

The basic principle is that you want to keep your data the way it is original. using htmlentities before inserting it in the db changes the data for no reason. Because htmlentities does nothing in the context of inserting data in a db. Only when outputting data to HTML is htmlentities of use. When you insert data in a db, it needs to be escaped using a function that is useful in that context. That’s mysql_real_escape_string for mysql.

]]> By: Eran Galperin http://www.techfounder.net/2008/05/21/models-in-the-zend-framework-part-2/comment-page-1/#comment-24 Eran Galperin Sat, 24 May 2008 17:47:50 +0000 http://www.techfounder.net/?p=24#comment-24 htmlentities is for security reasons obviously. I'm not a security expert, so I have to use brute-force. If you have a better idea you are welcome to suggest :) htmlentities is for security reasons obviously. I’m not a security expert, so I have to use brute-force. If you have a better idea you are welcome to suggest :)

]]>