Menu
For some reason the AppModel->updateAll() method does not escape data passed to it. Looking over the documentation though, I can't find anything on how you actually escape data with CakePHP.
Down in datasources/dbo/dbo_mysql.php I found the value() method that seems to just use mysql_real_escape_string() - but how do you access that method from up in the models?
289
So as you can see, properly escaping the input falls third on the list, but for all intents and purposes, it should be enough to avoid SQL Injection.
Escaping is a technique that preserves data as it enters another context. PHP is frequently used as a bridge between disparate data sources, and when you send data to a remote source, it's your responsibility to prepare it properly so that it's not misinterpreted.
The ESCAPE keyword is used to escape pattern matching characters such as the (%) percentage and underscore (_) if they form part of the data.
$name = "somename";
$db = $this->getDataSource();
$this->Model->query('SELECT * FROM models WHERE name = '.$db->value($name, 'string') . ';');
CakePHP cares also about quoting your input, because it is marked as a string.
SELECT * FROM models WHERE name = "somename";
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
