> inside a query you should read thishttps://trac.cakephp.org/ticket/5345as stateted that "it would actually
> make SQL injection a *feature"
>
Notice that every user input should be properly sanitized and escaped
if you plan to use it as a SQL expression with DboSource::expression
().
So, as you can see in my article, you can use SQL functions like this:
// inside the model scope
$db = $this->getDataSource();
$this->data[$this->alias]['signedup'] = $db->expression('CURDATE()');
but be aware that expressions won't be automatically escaped so you
need to it manually with DboSource::value() :
$db = $this->getDataSource();
$expression = sprintf("CONCAT('[', %s, ']')", $db->value($userInput));
$this->data[$this->alias]['signedup'] = $db->expression($expression);
hope it's somewhat clarifying
Rafael Bandeira <rafaelbandeira3>
rafaelbandeira3.wordpress.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment