When it comes to the location of server side filtering and validation, there are two obvious options: the Service Layer or the Domain. The benefit of the first approach is that it is easy to manage. It is easy to spot when when filtering and validation logic is missing from the Service Layer, and it's straightforward to fix.
The second option, using the Domain, is more difficult to manage but better aligned with OO principles. For this approach, I see three main data contexts.
- Data for newly created objects can be filtered and validated in the object's factory.
- Data which updates object properties can be filtered and validated in the custom setter methods.
- Data which is not persisted usually comprises finder parameters and should be filtered and validated in the mapper methods themselves.
You may choose the first option, or the second, or a combination of the two. I get away with
filter_var for simple cases, and Zend Input Filters for more advanced scenarios.