How to secure class data?

O

ozornick2016-08-27 14:04:34

PHP

ozornick, 2016-08-27 14:04:34

Hello. There is a class (because theory is needed) User, News, ... How do you work with the entered data?

<?php
class User {
    private $name;
    function setName($name){
        $this->name = $name;
    }

    function getName(){
        return $this->name;
    }
}
$user = new User();
$user->setName('<b>%Name+%</b>');
echo $user->getName();
//  как быть при записи в БД уже готового класса
// где, что проверит удобнее?
// или каждое значение потом экранировать,
$DB->query("INSERT ... $user->getName()");

Yes, I can check the data in the controller, but suddenly it will be possible to directly write to the properties. Or forget about it and rely on the controller / model, and write any entered data to the class?
UPD: They asked about paranoia. Trite, you need to check the input type, emptiness, compare with the given values ... I will enter an array instead of a number. You can explicitly specify the type of input data, but this is narrow, you may need to expand the logic.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Anton Shamanov, 2016-08-27
@SilenceOfWinter

Look at ready-made implementations of the active record pattern and ORM

T

ThunderCat, 2016-08-27
@ThunderCat

Usually there are separate classes for checking the types of variables, they are either taken out into helpers, or shoved into the logic of the model (which, IMHO, is very clumsy). On escaping - if your string assumes the presence of special characters, which is normal in principle, the use of a prepared statement saves the situation for anyone.