hi, the bottom line is you should not trust any parameter generated from outside your app by user.
You should do input validation, which is sanitize class. so let say the $id will not contain '; delete * from user' , if your id expected is int, make sure it only contains int hope helps On Fri, Aug 31, 2012 at 4:36 PM, Mariano C. <[email protected]>wrote: > My method is something like > > public function getSomething($id) > $sql = "SELECT ... WHERE id =".$id; > return $this->Model->query($sql); > } > > How should I use your tips? > > Il giorno venerdì 31 agosto 2012 05:11:34 UTC+2, Dr. Tarique Sani ha > scritto: > >> Using prepared statements via the fetchAll method with Sanitize::clean >> is the way to go >> > -- > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > Visit this group at http://groups.google.com/group/cake-php?hl=en-US. > > > -- You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
