Hi guys There is a class created by Monte Ohrt (Smarty Project) how can parse metachars inside a sql string.
http://www.phpinsider.com/php/code/SafeSQL/ I been using it from some time now and i think that cake should implement something like that in the models. It work like this: require 'SafeSQL.class.php'; // dummy up a variable with a single quote in it $section_name = "fred's place"; // run the query through SafeSQL $safesql =& new SafeSQL_MySQL; $query_string = $safesql->query("select * from sections where Section_Name = '%s'", array($section_name)); echo $query_string; OUTPUT: select * from sections where Section_Name = 'fred\'s place' // $query_string is now safe to pass to your SQL library I manage to hack a method inside the AppModel. Goes like this: vendor('spine'.DS.'DB'.DS.'SafeSQL'); class AppModel extends Model { var $sq = null; function __construct ($id=false, $table=null, $ds=null) { $this->sq = &new SafeSQL_MySQL(); parent::__construct($id, $table, $ds); } function safeQuery($sql, $args = array()) { return $this->query($this->sq->query($sql, $args)); } } .. And then $data = array("fred's place"); $this->Post->safeQuery('UPDATE FROM post SET title = "%s" WHERE id = 3', $data); I think it will be great to do something like... $this->Post->findAll('title = "%s"', $data); ... or applying into $this->Model->save() method or in an array inside the models like $this->Model->validate. I just think that is cleaner than sanitize. Maybe internally it will call sanitize. Will be great. What do you think? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~----------~----~----~----~------~----~------~--~---
