No, you need to escape whenever you send dynamic content to de user
(though the form helper will escape the inputs values), use the
builtin h() function.
echo h($comment['Comment']['content']);
If you want to strip the tags or other bad content and avoid it from
beign stored (they will be escaped by the dbo layer but will get
inserted in the db anyway) you need to use Sanitize::clean() or
Sanitize::strip<What>() where what is any of Tags, Images, Scripts,
Whitespace, All.
HTH,
- Dardo Sordi.
>
> On 30 Ott, 18:57, Gwoo <gwoo.cake...@gmail.com> wrote:
>> The DBO layer handles proper escaping of your data to prevent SQL
>> injection. You do not need to use Sanitize unless you are doing
>> something out of the ordinary.
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment