the bottom line is you should not trust any parameter generated from outside your app by user.
You should do input validation, which is sanitize class.
so let say the $id will not contain '; delete * from user' , if your id expected is int, make sure it only contains int
hope helps
On Fri, Aug 31, 2012 at 4:36 PM, Mariano C. <mariano.calandra@gmail.com> wrote:
My method is something likepublic function getSomething($id)$sql = "SELECT ... WHERE id =".$id;return $this->Model->query($sql);
}How should I use your tips?
Il giorno venerdì 31 agosto 2012 05:11:34 UTC+2, Dr. Tarique Sani ha scritto:Using prepared statements via the fetchAll method with Sanitize::clean
is the way to go--
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
--
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
No comments:
Post a Comment