We use something like this in the models:
$query = "SELECT * FROM user WHERE id=:user_id"
$data = $this->getDataSource()->fetchAll($query, array("usery_id" =>
$user_id), array("cache" => false));
On Fri, Aug 31, 2012 at 2:13 AM, Phang Mulianto <[email protected]> wrote:
> hi,
>
> the bottom line is you should not trust any parameter generated from
> outside your app by user.
>
> You should do input validation, which is sanitize class.
>
> so let say the $id will not contain '; delete * from user' , if your id
> expected is int, make sure it only contains int
>
> hope helps
>
>
> On Fri, Aug 31, 2012 at 4:36 PM, Mariano C. <[email protected]>wrote:
>
>> My method is something like
>>
>> public function getSomething($id)
>> $sql = "SELECT ... WHERE id =".$id;
>> return $this->Model->query($sql);
>> }
>>
>> How should I use your tips?
>>
>> Il giorno venerdì 31 agosto 2012 05:11:34 UTC+2, Dr. Tarique Sani ha
>> scritto:
>>
>>> Using prepared statements via the fetchAll method with Sanitize::clean
>>> is the way to go
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "CakePHP" group.
>> To post to this group, send email to [email protected].
>> To unsubscribe from this group, send email to
>> [email protected].
>> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>>
>>
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
>
>
>
--
--Everything should be made as simple as possible, but not simpler (Albert
Einstein)
--
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
