Native model methods quotes string values itself. So query will have correct syntax but incorrect values, like `id` = 'kill your app'. It will not produce error nor return result.
In case of using find model methods you can rely on it or check for validity before to not execute absolutely unnecessary query. In case of using model save/update methods better to check ID before save or you may archieve strange results. On Mar 18, 9:50 am, Aurelius <[email protected]> wrote: > is it been validated in the Model, e.g. when this us called: > $whatever = $this->User->read( null, $id); > > Is that enought so I can be sure that its an int? > if( bccomp($id, intval($id), 3) != 0 ) die( __ ( "We couldn't find > this Shop.",true) ); > > thx > Aurelius > On 16 Mrz., 05:36, "Dr. Loboto" <[email protected]> wrote: > > > No one checked your $id. It is insecure. Anyone can call your action > > ashttp://domain.com/controller/editorhttp://domain.com/controller/edit/013 > > orhttp://domain.com/controller/edit/kill%20your%20app > > > On Mar 16, 1:04 am, Aurelius <[email protected]> wrote: > > > > Hi! > > > > When I have a function like > > > function edit($id = null) { ... } > > > is the $id already checked against hacking and can only be a integer > > > or is it unsecure? > > > > thx > > > Aurelius --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
