Re: beforeSave?

2009-11-17 Thread Erik Nedwidek 
Dave,

No need to call the beforeSave method as it is a callback.

function beforeSave() {
  App::import('Sanitize');
  $this-data = Sanitize::clean($this-data);

  return true;
}

That should be all you need to do. Throw a couple of $this-log() statements
in there to verify the method is being called by Cake if you're not sure.

Erik Nedwidek
Project Manager
Lighthouse I.T. Consulting, Inc.


On Tue, Nov 17, 2009 at 10:37 PM, Dave make.cake.b...@gmail.com wrote:

 Do you manually have to call beforeSave();

 I have
 function beforeSave()
  {
$clean = new Sanitize();
$this-data = $clean-clean($this-data);
 return true;

  }

 But it does nothing to the data.

 What am I doing wrong?

 Dave

 --

 You received this message because you are subscribed to the Google Groups
 CakePHP group.
 To post to this group, send email to cake-...@googlegroups.com.
 To unsubscribe from this group, send email to
 cake-php+unsubscr...@googlegroups.comcake-php%2bunsubscr...@googlegroups.com
 .
 For more options, visit this group at
 http://groups.google.com/group/cake-php?hl=.




--

You received this message because you are subscribed to the Google Groups 
CakePHP group.
To post to this group, send email to cake-...@googlegroups.com.
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=.

Re: To Sanitize or not? :: Public Opinion

2009-11-17 Thread Erik Nedwidek 
The big problem really is accepting input and displaying it without encoding
or stripping the html. If you want to accept html, you need to strip out all
javascript, intrinsic events, and even scripts hidden in styles. For the
most part Cake will construct the SQL queries in a protected manner. You
will also want to scan for Base64 encoded data as people are hiding their
scripts in there too.

Erik Nedwidek
Project Manager
Lighthouse I.T. Consulting, Inc.


On Tue, Nov 17, 2009 at 10:57 PM, Dr. Loboto drlob...@gmail.com wrote:

 When data is saved to DB Cake properly escape it so no problem with
 SQL Injection and no need to sanitize before.

 When data is displayed using of h() function will secure it enough.

 With such approach you face problems only when allow users post HTML
 (for example, with WYSIWYG editor). In this case nor h() nor Sanitize
 can save you as both of them cannot be used in such case.

 On Nov 18, 4:07 am, Dave make.cake.b...@gmail.com wrote:
  I have asked a few questions about data sanitization and got different
  responses.
  Some people say just don't sanitize and use echo h() other say always
  sanitize.
  Books say never trust what the user enters so always clean data before
  saving.
 
  I know every app has different requirements but as a general rule what do
  you do?
 
  Just looking for feedback as to different methods for each baker.
 
  Thanks
 
  Dave

 --

 You received this message because you are subscribed to the Google Groups
 CakePHP group.
 To post to this group, send email to cake-...@googlegroups.com.
 To unsubscribe from this group, send email to
 cake-php+unsubscr...@googlegroups.comcake-php%2bunsubscr...@googlegroups.com
 .
 For more options, visit this group at
 http://groups.google.com/group/cake-php?hl=.




--

You received this message because you are subscribed to the Google Groups 
CakePHP group.
To post to this group, send email to cake-...@googlegroups.com.
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=.