When you pass variables to model function normally (as in your example) Cake properly escape values. When Cake put POST data into controller's $this->data it respects magic_quotes settings and always put clean values there. You should not want anything other.
BTW, 'adsf\'\'\'' is the proper way to pass asdf''' value into SQL query. When you first sanitize asdf''' and then pass it to find() you receive wrong query because of double escaping. On May 14, 11:29 am, Misplacedme <[email protected]> wrote: > I'm a cake noob, so if this is obvious, I apologize. > > I have a form, and when it's submitted, I grab a username out of the > database using this line. > $this->User->find('all', array( 'conditions' => array('User.username' > => $this->data['User']['username']), 'fields' => array > ('User.password') ) ); > > As a test, I put asdf''' in the username field. > > I have debug turned to 2 if I remember right, and it outputs the > following query. > SELECT `User`.`password`, `User`.`id` FROM `users` AS `User` WHERE > `User`.`username` = 'adsf\'\'\'' > > I checked, and I have magic quotes off. If print_r $this->data or > $_POST, username is still asdf'''; > > I tried the sanitize::escape function, and got this line. > SELECT `User`.`password`, `User`.`id` FROM `users` AS `User` WHERE > `User`.`username` = 'adsf\\\'\\\'\\\'' > > So, what I need to know is if cake is automaticly cleaning my > variables when I use it in a find, how to fix it. > Or, if I have some setting that I don't know about set that I need to > fix. > Or, if the debug menu escapes everything but leaves the query alone. > > Thanks! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
