i thought php automatically addslashes to posted data?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups Cake
PHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group,
Only if magic quotes is enabled in php.iniOn 7/20/06, yeastinflexion [EMAIL PROTECTED] wrote:
i thought php automatically addslashes to posted data?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups Cake PHP group. To
if you use something like this which cake cannot automagically escape:
$foo = $this-MyModel-findAll(id='{$id}');
you should use Sanitize::sql() on $id to prevent sql injection attacks.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to
Hey,
I'm using Cake for the first time to develop an application, and I'm
intent on making it secure as possible. One question that came up for
me is the point of the Sanitize-sql function. The description of the
function reads:
Makes a string SQL-safe by adding slashes (if needed
Cake escapes by default without the need for Sanitize.
But if you want to be extra secure, using the cleanArray, cleanValue
methods of Sanitize are important.
I imagine Sanitize::sql() is there in case there are other places in
your app that you might want to escape data in the same way.
