Zend framework queries and input validation

Question 1

Zend_Db_Table will provide the quotes most of the time, even when you don't explicitly use select() Zend_Db usually will:

//query is broken into multiple line for more clarity and is just an example
$select = $this->getAdapter()->select();
$select->from('friendships');
$select->where('user1 = ?', $user1);
$select->where('user2 = ?', $user2);//successive where() will tie together with AND
$select->orWhere('user1 = ?', $user2);

as long as your queries use the select() object they will be quoted.

When you need to do an insert or an update where the select object is not available use quoteInto():

//in your DbTable models
$where = $this->getAdapter()->quoteInto('user1 = ?', $user1);
$result = $this->getAdapter()->update($data, $where);

second question is how can i put multiple values in quoteInto function?

the api is:

/* @param string  $text  The text with a placeholder.
 * @param mixed   $value The value to quote.
 * @param string  $type  OPTIONAL SQL datatype
 * @param integer $count OPTIONAL count of placeholders to replace
 * @return string An SQL-safe quoted value placed into the original text.
 */
public function quoteInto($text, $value, $type = null, $count = null)

so multiple values are not really supported by quoteInto(), however there are other quote functions are available.

how do you validate input in your models? (not forms)

Use the same classes that you use when validating forms, use Zend_Validate and Zend_Filter. the easiest way is to use Zend_Filter_Input():

//multiple methods demonstrated
$filters = array('*'=>'StringTrim','zip'=> new Zend_Filter_Digits());
$validators = array('name'=>'Alnum');

$input = new Zend_Filter_Input($filters, $validators, $data);
if ($input->isValid()){//do some stuff}

and last question, which steps do you follow to create an apllication usign zend framework? i mean, first you plan your project, second you write model, then you write controllers and finally views ( suppose you are alone to work on it ).

It's your application, do it how you want. Not meaning to be snide but the application will let you know what it needs. Typically you will get something to display and some data to manipulate. Then just go and build the plan.

Question 2

Thanks a lot for the answer and sorry for delay... i solved this way

$db=  Zend_Registry::get('db');

    $select=$db->select()
            ->from($this->_name)
            ->where("utente1= ".$db->quote($user1, 'INTEGER')." AND utente2= ".$db->quote($user2, 'INTEGER'))
            ->orWhere("utente1= ".$db->quote($user2, 'INTEGER')." AND utente2= ".$db->quote($user1, 'INTEGER'));

    $stmt=$select->query();
    $result=$stmt->fetchAll();`

i saved the db in my registry and i get it whenever i want...is there any security or other kind of problem doing this way?

about the planning, i was asking if there's a fixed procedure to work with zend, you're answer gave me a lot of relief... :)

anyway i started creating the database and now i'm working on models, when i'll finish i'll make views and controllers together.

i have a question about joins, can i select columns from both tables?, is right something like this:

$select = $db->select()
             ->from(array('p' => 'products'),
                    array('p.product_id', 'p.product_name', 'l.description'))
             ->join(array('l' => 'line_items'),
                    'p.product_id = l.product_id');

how can i do that?