> Finally if you are hopping that cake allow you to make mysql function calls > inside a query you should read thishttps://trac.cakephp.org/ticket/5345as > stateted that "it would actually > make SQL injection a *feature" >
Notice that every user input should be properly sanitized and escaped if you plan to use it as a SQL expression with DboSource::expression (). So, as you can see in my article, you can use SQL functions like this: // inside the model scope $db = $this->getDataSource(); $this->data[$this->alias]['signedup'] = $db->expression('CURDATE()'); but be aware that expressions won't be automatically escaped so you need to it manually with DboSource::value() : $db = $this->getDataSource(); $expression = sprintf("CONCAT('[', %s, ']')", $db->value($userInput)); $this->data[$this->alias]['signedup'] = $db->expression($expression); hope it's somewhat clarifying Rafael Bandeira <rafaelbandeira3> rafaelbandeira3.wordpress.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---