Magento Models and Security Best Practices

databasemodel

I made a custom module which is actually a bit extended contact form module. I'm saving form data into database.

Is it save just to call $model->save() with values from POST?
This is how I save data:

$data = $this->getRequest()->getPost('partnercontact')

$model->addData($data); $model->save()

May I suppose that Magento sanitize values before saving it into database or my module is vulnerable to SQL injection attacks?

Best Answer

$this->getRequest() should return an instance of Mage_Core_Controller_Request_Http that extends Zend_Controller_Request_Http.
From what I know zend sanitizes the request values.
And the actual sql insert and update uses an instance of Varien_Db_Adapter_Pdo_Mysql that extends Zend_Db_Adapter_Pdo_Mysql. This one also should sanitize the queries.

But you can never be too careful.

Related Solutions

Magento – Data from form not being passed to database

You are trying to find a troublesome drop in the middle of a river! I recommend to first confirm that everything is OK with your ORM using a workbench script:

<?php
header('Content-Type: text/plain);
error_reporting(E_ALL | E_STRICT);
ini_set('display_errors',true);
include 'app/Mage.php';
umask(0);
Mage::setIsDeveloperMode();
Mage::app();

$model = Mage::getModel('training/animal');
$model->setData(
    'name' => 'Tony',
    'type' => 'tiger',
    'edible' => 'no'
);
$model->save();
print_r($model->getData()); //should have array values & auto-increment ID

Magento 1.9 – Admin Form Save Date Format Issue

Found the problem, was missing a step in my controller.

$postData = $this->getRequest()->getPost();

$postData = $this->_filterDates($postData, array("date"));

After using _filterDates it started saving correctly

Best Answer

Related Solutions

Magento – Data from form not being passed to database

Magento 1.9 – Admin Form Save Date Format Issue

Related Topic