I usually use $this->_request->getParams(); to retrieve either the post or the URL parameters. Then I use the Zend_Filter_Inputto do validation and filtering. The getParams() does not do validation.

我通常使用 $this->_request->getParams(); 检索帖子或 URL 参数。然后我使用Zend_Filter_Input进行验证和过滤。getParams() 不进行验证。

Using the Zend_Filter_Input you can do application level validation, using the Zend Validators (or you can write your own too). For example, you can make sure the 'months' field is a number:

使用 Zend_Filter_Input 您可以使用 Zend 验证器（或者您也可以编写自己的）来进行应用程序级别的验证。例如，您可以确保 'months' 字段是一个数字：

$data = $this->_request->getParams();

$validators = array(
    'month'   => 'Digits',
);

$input = new Zend_Filter_Input($filters, $validators, $data);

Extending Brian's answer.

扩展布赖恩的答案。

As you noted you can also check out $this->_request->getPost()and $this->_request->getQuery(). If you generalize on getParams(), it's sort of like using the $_REQUESTsuperglobal and I don't think that's acceptable in terms of security.

正如您所指出的，您还可以查看$this->_request->getPost()和$this->_request->getQuery()。如果概括为getParams()，这有点像使用$_REQUESTsuperglobal ，我认为这在安全性方面是不可接受的。

Additional to Zend_Filter, you may also use simple PHP to cast the required.

除了 Zend_Filter 之外，您还可以使用简单的 PHP 来转换所需的内容。

E.g.:

例如：

$id = (int) $this->_request->getQuery('id');

For other values, it gets more complicated, so make sure to e.g. quote in your DB queries (Zend_Db, see quoting identifiers, $db->quoteIdentifier()) and in views use $this->escape($var);to escape content.

对于其他值，它会变得更复杂，因此请确保例如在您的数据库查询（Zend_Db，请参阅引用标识符$db->quoteIdentifier()）和视图中引用$this->escape($var);来转义内容。

You can't write a one-size-fits-all validation function for get/post data. As in some cases you require a field to be a integer and in others a date for instance. That's why there is no input validation in the zend framework.

您无法为获取/发布数据编写一刀切的验证函数。例如，在某些情况下，您需要一个字段为整数，而在其他情况下需要一个日期。这就是 Zend 框架中没有输入验证的原因。

You will have to write the validation code at the place where you need it. You can of course write some helper methods, but you can't expect the getPost() to validate something for you all by itself...

您必须在需要的地方编写验证代码。您当然可以编写一些辅助方法，但是您不能指望 getPost() 自己为您验证某些东西...

And it isn't even getPost/getQuery's place to validate anything, it's job is to get you the data you wan't, what happens to it from there on should not be it's concern.

它甚至不是 getPost/getQuery 验证任何东西的地方，它的工作是为您提供您不需要的数据，从那时起它发生的事情不应该是它的关注点。

$dataGet  = $this->getRequest()->getParam('id',null);
$valid = new Zend_Validate_Digits();

if( isset($dataGet) && $valid->isValid($dataGet) ){
 // do some...
} else{
  // not set
}

I have always used the more phpish $this->_request->getPost('this')and $this->_request->getQuery('that')(this one being not so much logical with the getquery insteado of getGet).

What is best of this two? (or if theres another better way)

我一直使用更多的 phpish$this->_request->getPost('this')和$this->_request->getQuery('that')（这个与 getquery 而不是 getGet 不太合乎逻辑）。

这两个哪个最好？（或者如果有另一种更好的方法）

Just a quick explanation on the choice of getQuery(). The wording choice comes from what kind of data it is, not how it got there. GET and POST are just request methods, carrying all sorts of information, including, in the case of a POST request, a section known as "post data". A GET request has no such block, any variable data it carries is part of the query string of the url (the part after the ?).

只是对选择的快速解释getQuery()。措辞的选择取决于它是什么类型的数据，而不是它是如何到达那里的。GET 和 POST 只是请求方法，携带各种信息，在 POST 请求的情况下，包括称为“发布数据”的部分。GET 请求没有这样的块，它携带的任何变量数据都是 url 查询字符串的一部分（? 之后的部分）。

So, while getPost()gets the data from the post data section of a POST request, getQuery()retrieves data from the query string of either a GET or POST request (as well as other HTTP Request methods).

因此，在getPost()从 POST 请求的 post data 部分getQuery()获取数据的同时，从 GET 或 POST 请求（以及其他 HTTP 请求方法）的查询字符串中检索数据。

(Note that GET Requests should not be used for anything that might produce a side effect, like altering a DB row)

（请注意，不应将 GET 请求用于可能产生副作用的任何事情，例如更改数据库行）

So, in answer to your first question, use the getPost()and getQuery()methods, this way, you can be sure of where the data source (if you don't care, getParams()also works, but may include additional data).

因此，在回答您的第一个问题时，请使用getPost()和getQuery()方法，这样您就可以确定数据源的位置（如果您不在乎，getParams()也可以使用，但可能包含其他数据）。

What is the best practice for validating php input with this methods?

使用此方法验证 php 输入的最佳做法是什么？

The best place to validate input is where you firstuse it. That is to say, when you pull it from getParams(), getPost(), or getQuery(). This way, your data is always correct for where you need it, and if you pass it off, you know it is safe. Keep in mind, if you pass it to another Controller (or Controller Action), you should probably check it again there, just to be safe. How you do this depends on your application, but it still needs to be checked.

验证输入的最佳位置是您第一次使用它的地方。也就是说，当您从getParams()、getPost()、 或 中拉出它时getQuery()。这样，您的数据在您需要的地方总是正确的，如果您将其传递出去，您就知道它是安全的。请记住，如果您将它传递给另一个控制器（或控制器操作），您可能应该在那里再次检查它，以确保安全。您如何执行此操作取决于您的应用程序，但仍需要对其进行检查。

not directly related to the topic, but to insure that you get an number in your input, one could also use $var+0 (however if $var is a float it stays a float) you may use in most cases $id = $this->_request->getQuery('id')+0;

与主题没有直接关系，但为了确保您在输入中得到一个数字，您还可以使用 $var+0（但是，如果 $var 是浮点数，则它保持浮点数）您在大多数情况下可以使用 $id = $ this->_request->getQuery('id') +0;