> Question about Sanitization. Am I right in thinking that I need to > process each field in my submitted data and then rebuild the array to > send to my model for saving? That doesnt seem right to me from the > point of view of the framework. I would have thought that I could > simply pass it my data array or a string and it would return the > correct structure sanitized.
No, cake will (SQL)escape your data before saving to database and (HTML)escape when output through cake helpers, but cake will not strip (automatically) dangerous data (like script tags) from user input, you need to sanitize/escape that one when you output directly in views (without using cake helpers), luckily cake provides the h() and Sanitize::strip<What>() methods. > Unless I am completely doing it wrong of course. > > $san = new Sanitize(); > > $this->data = $san->escape($this->data); > > That cause all sorts of pretty errors because I am assuming escape > expects a single string. > > In this case I will have to write a function that accepts and then > returns my data array. No big deal, just as I said I am surprised that > CakePHP does not do this. > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
