Monday, October 22, 2012

Making database queries secure

I do some custom database queries using some values derived from a call to find.  I think I should make these more secure using a security function, but I am not sure which function to use.  Should I use Sanitize or mysql_real_escape_string, and what parameters should I pass?  Here is the relevant code:
  $user = $this->User->Find('first', array('conditions' => array('' => $id)));
  $username = $user['User']['username'];
  $email = $user['User']['email'];
  $qry = $this->User->query('UPDATE outemails SET to_user_id=null, recipient="'.$username.
   '" WHERE to_user_id="'.$id.'";');
  $qry = $this->User->query('INSERT INTO delemails (username, email, blacklisted, created) VALUES ("'.

Like Us on FaceBook
Find us on Twitter
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to
To unsubscribe from this group, send email to
Visit this group at

No comments: