I'm a cake noob, so if this is obvious, I apologize.
I have a form, and when it's submitted, I grab a username out of the
database using this line.
$this->User->find('all', array( 'conditions' => array('User.username'
=> $this->data['User']['username']), 'fields' => array
('User.password') ) );
As a test, I put asdf''' in the username field.
I have debug turned to 2 if I remember right, and it outputs the
following query.
SELECT `User`.`password`, `User`.`id` FROM `users` AS `User` WHERE
`User`.`username` = 'adsf\'\'\''
I checked, and I have magic quotes off. If print_r $this->data or
$_POST, username is still asdf''';
I tried the sanitize::escape function, and got this line.
SELECT `User`.`password`, `User`.`id` FROM `users` AS `User` WHERE
`User`.`username` = 'adsf\\\'\\\'\\\''
So, what I need to know is if cake is automaticly cleaning my
variables when I use it in a find, how to fix it.
Or, if I have some setting that I don't know about set that I need to
fix.
Or, if the debug menu escapes everything but leaves the query alone.
Thanks!
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
