Friday, August 31, 2012

Re: SQL query rather than CakePHP style query

hi,

the bottom line is you should not trust any parameter generated from outside your app by user.

You should do input validation, which is sanitize class.

so let say the $id will not contain '; delete * from user' , if your id expected is int, make sure it only contains int

hope helps

On Fri, Aug 31, 2012 at 4:36 PM, Mariano C. <mariano.calandra@gmail.com> wrote:
My method is something like

public function getSomething($id)
   $sql = "SELECT ... WHERE id =".$id;
   return $this->Model->query($sql);
}

How should I use your tips?

Il giorno venerdì 31 agosto 2012 05:11:34 UTC+2, Dr. Tarique Sani ha scritto:
Using prepared statements via the fetchAll method with Sanitize::clean
is the way to go

--
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
 
 

--
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com.
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
 
 

No comments: