For general items like title, datetime etc there is no need to manually sanitize as it is all handled internally. Sanitize is only required when you want to really restrict what input the user is entering e.g. on your textile field you probably want to run Sanitize::stripAll() to remove anything that resembles html.
Geoff -- http://lemoncake.wordpres.com On Jul 23, 10:19 am, citrus <[EMAIL PROTECTED]> wrote: > I have a small question with Sanitize library, as I'm not really good > at solving security problems that may arise in my application. > > As I've already know, Sanitize comes with lots of method: paranoid, > escape, html, etc. > > But I wonder when to use which method, and I'm really confused with > it. > > For instance, I have a form with a title field, a body field, a > datetime field and a select field. Before saving my POSTed data to the > database, what should I do to the data? > > I mean, I want the title to be SQL-safe, but it should support all > kinds of legit character: spaces, quote ('), Unicode chars, etc. When > I try paranoid, the ' is stripped, and when I use escape, it turns > into &#...; which looks ugly in the edit form. > > Then, the body. I want it to be formatted with Textile, so what > sanitizing method should I use? The same question goes for datetime > field and select field? Should I filter these submitted data, or > assume that no one can harm my application by changing the HTML > beneath them? > > Well, hope that I made it clear. English is not my mother-tongue. > > Thanks for you advices in advanced. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
