Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you escape SQL data in CakePHP?

Tags:

php

orm

cakephp

For some reason the AppModel->updateAll() method does not escape data passed to it. Looking over the documentation though, I can't find anything on how you actually escape data with CakePHP.

Down in datasources/dbo/dbo_mysql.php I found the value() method that seems to just use mysql_real_escape_string() - but how do you access that method from up in the models?

like image 289
Xeoncross Avatar asked Aug 20 '10 19:08

Xeoncross


People also ask

Is escaping enough to prevent SQL injection?

So as you can see, properly escaping the input falls third on the list, but for all intents and purposes, it should be enough to avoid SQL Injection.

What is Escape data in PHP?

Escaping is a technique that preserves data as it enters another context. PHP is frequently used as a bridge between disparate data sources, and when you send data to a remote source, it's your responsibility to prepare it properly so that it's not misinterpreted.

What does escape mean in mysql?

The ESCAPE keyword is used to escape pattern matching characters such as the (%) percentage and underscore (_) if they form part of the data.


1 Answers

$name = "somename";

$db = $this->getDataSource();
$this->Model->query('SELECT * FROM models WHERE name = '.$db->value($name, 'string') . ';');

CakePHP cares also about quoting your input, because it is marked as a string.

SELECT * FROM models WHERE name = "somename";
like image 195
mstra001 Avatar answered Oct 14 '22 06:10

mstra001