Being the paranoid type (I'm not really, they actually *are* out to get me), I started looking at data cleansing today, which is one area of cake I'm a little unsure of, but getting it right is pretty important :)
From the testing I've done, it appears that values are automatically
sql escaped when used in model->find*() conditions, so Sanitize->sql() needs to be used only when 'rolling your own' sql statements. Save() seems to do the same. Field values that contain " (double quotes), <, > etc are also escaped when re-rendered back to the form fieled value attribute - is this cake doing this? This just leaves Sanitize->html() to deal with values that (are user entered, but then) are re-displayed as html. I would be grateful if the above statements could be confirmed/denied and any comment that can improve my understanding of cake's abilities. ~GreyCells --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
