开发者

How do I block sql injections in CAKEphp

开发者 https://www.devze.com 2023-01-24 01:33 出处:网络
How do I block sql injections开发者_如何学Go from a page like this one...http://u.neighborrow.com/items/recent

How do I block sql injections开发者_如何学Go from a page like this one...http://u.neighborrow.com/items/recent


CakePHP already protects you against SQL Injection if you use CakePHP's ORM methods (such as find() and save()) and proper array notation (ie. array('field' => $value)) instead of raw SQL. For sanitization against XSS its generally better to save raw HTML in database without modification and sanitize at the time of output/display.

This should give you a good idea of how to do it.

App::import('Sanitize'); 
class MyController extends AppController {     ...     ... } 

Once you've done that, you can make calls to Sanitize statically.


CakePHP takes care of it. Read their book.


You need sanitize only in the rare cases where you need to write raw queries.

Raw query is:

$this->User->query("select username from users where email='$email_received_from_user_form'");

before executing that you need to:

App::import('Sanitize');

$email_received_from_user_form = Sanitize::paranoid($email_received_from_user_form, array('@', '_', '-', '.'));

If used right data sanitization will remove/edit all the malicious chars in the query (no sql injections).

See here: http://book.cakephp.org/2.0/en/core-utility-libraries/sanitize.html

After you learn all about Data Sanitization try to never use it. Use the CakePHP way like so:

$this->User->field('username', array('email' => $email_received_from_user_form));

I this case you don't have to worry about SQL injections at all. You should never use raw queries unless your don't have other choice.

0

精彩评论

暂无评论...
验证码 换一张
取 消