stackoom
  简体   繁体   中英

How do you escape SQL data in CakePHP?

 原文  2010-08-20 19:33:38       php/ orm/ cakephp

Question

For some reason the AppModel->updateAll() method does not escape data passed to it. Looking over the documentation though, I can't find anything on how you actually escape data with CakePHP.

Down in datasources/dbo/dbo_mysql.php I found the value() method that seems to just use mysql_real_escape_string() - but how do you access that method from up in the models?

3 answers

solution1
 9 ACCPTED  2010-08-20 19:39:49

For most of CakePHP's model functions you don't have to worry about escaping the input.

CakePHP already protects you against SQL Injection if you use:

  1. CakePHP's ORM methods (such as find() and save() ) plus:
  2. Proper array notation (ie. array('field' => $value) ) instead of raw SQL.

For sanitization against XSS its generally better to save raw HTML in database without modification and sanitize at the time of output/display.

See https://book.cakephp.org/2.0/en/core-utility-libraries/sanitize.html There are other cases, however, when you need to run a custom SQL query or subquery. In these cases you can either:

Use Prepared Statements 

$db->fetchAll(
    'SELECT * from users where username = :username AND password = :password',
    ['username' => 'jhon','password' => '12345']
);

Custom Escaping with Model->getDataSource()->value() 

$sql = 'SELECT * FROM table WHERE name = ' 
     . $this->MyModel->getDataSource()->value($untrustedInput, 'string') . ';'

The value() function basically escapes and adds quotes like this: 

"'" . mysql_real_escape_string($data, $this->MyModel->getDataSource()->connection) . "'"

Sanitize Class

This used to be an option, but was deprecated as of CakePHP 2.4.

solution2
 3  2014-08-17 19:06:36

$name = "somename";

$db = $this->getDataSource();
$this->Model->query('SELECT * FROM models WHERE name = '.$db->value($name, 'string') . ';');

CakePHP cares also about quoting your input, because it is marked as a string. 

SELECT * FROM models WHERE name = "somename";

solution3
 -1  2011-09-19 01:51:41

Here's an alternative way of doing things, using Sanitize::paranoid:

http://www.ibm.com/developerworks/opensource/library/os-php-cake3/

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do you escape quotes in a sql query using php? When you absolutely have to manually escape SQL in CakePHP 3.4.7 How do you escape strings when writing data Migrations in Phinx? How do you capture the SQL queries running in a CakePHP page? How do you escape ' on doctrine? how do you escape a dot? CakePHP 3 - How do you patch associated data manually, and save all? How to escape mysql database name to prevent sql injection in cakephp3? What encoding is this… and how do you escape it in php? How do you escape namespace string
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM