Jump to content

Need help - Should I use my security class within models or controllers?

Ivan Ivković
 Share

Recommended Posts

Ivan Ivković Member

Ivan Ivković

Posted
Posted

I have a "Security" class, a set of methods for input processing 'n stuff.

Should I use this in my models or controllers? (MODEL: Processing input within the model like... uploading image CONTROLLER : on the page controller, before loading models.)

It seems as if in the models it's too often used, maybe reduces performance?

As for programming theory, which way should I go?

Ivan Ivković Member

Ivan Ivković

Posted
  • Author
Posted

"I have a "Security" class, a set of methods for input processing 'n stuff."

 

I think I said it all but ok, here's more.

 

SQL injection, HTML stripping, checking for select values if they're numeric or not null, do select values offers exist and stuff.

trq Prolific Member

trq

Posted
Posted
SQL injection, HTML stripping, checking for select values if they're numeric or not null, do select values offers exist and stuff.

 

That does not sound like it belongs in a single class.

 

We seriously can't help without seeing code.

Ivan Ivković Member

Ivan Ivković

Posted
  • Author
Posted 

<?php

# General input security.
class Security{

private $db;

public function __construct($db){
	$this -> db = $db;
}

# Processing all input type="text" inputs.
public function secureTextInput($string){
	$string = stripslashes($string);
	$string = $this -> db -> real_escape_string($string);
	return $string;
}

# Processing all numeric inputs (select values etc...)
public function checkNum($num){
	if(!is_numeric($num) && $num != 0){
		return false;
	}else{
		return $num;
	}
}

# Processing all textareas with more content.
public function secureTextArea($string){
	$string = nl2br($string);
	$string = $this -> secureTextInput($string);
	$string;
}

}

This is an example of it.

gizmola Prolific Member

gizmola

Posted
Posted

If you use pdo or mysqli with bind variables, there is no need to worry about SQL injection.  With pdo::prepare as an example, you eliminate the need to escape data AND eliminate sql injection concerns.  I highly recommend that approach.

 

In terms of the other things you have, typically they are of concern with form processing, and many frameworks provide form building classes which let you specify validation routines that bake in security, as well as additional user defined validation rules.  So strictly speaking, this would not be code in either the controller or the model but in a form handling class.  Take a look at symfony2 and zend framework for some examples of how more sophisticated frameworks approach the problem.

 

Last but not least, XSS is something that can be neutralized in the way content is displayed.  Frameworks that have templating in support of the view layer, can cook data when injecting it into the view, to insure that no active XSS is rendered.

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.