Where do I manipulate and sanitize data from database in MVC PHP?

Question

Let's say I have a model User_model with a get_all_users() function:

Class User_model {
    function get_all_users() {
        $query = $this->db->query("SELECT * FROM users");
        return $query->result(); // Returns array with data
    }
}

Where in my application would I sanitize the data for output? Until now I have done this in get_all_users() by looping through the result and returning an array holding the santizied and manipulated data. The problem with that comes here: Let's say I have a date field in my database table that I want to me formatted in different ways depending on what page the user is on. Or I have some data I need to run htmlspecialchars() on.

The first idea that comes to mind is sanitizing and formatting the data in my views, but it just doesn't feel right. Should I have some kinda of layer between the view and model that does the job? How would that work in that case? Or should it be taken care of some way else?

Answer 1

I strongly disagree with Blaine.

The View is exactly the right place to do it. And explicitly the only place to do it.

Only the view knows where the data is going. How you transform data is completely dependant on where the data is going - and the specifics of how you do that are different for HTML (htmlspecialchars()), a URL string (urlencode()), a Javascript string (addslashes() or preferably json_encode()) , an email (quoted_printable_encode())....

Let's say I have a date field...to me formatted in different ways

That's not even an issue of sanitization, it's an issue of presentation - which still lies in the domain of the view.

Answer 2

This is hard, but i would pull the the data as it is in the Model, and clean it in the controller. so if the DB changes you can easily fix your querys

Answer 3

You can also make a view helper that sanitizes data, so that it can be reused in all view files.