How do I block sql injections in CAKEphp

How do I block sql injections开发者_如何学Go from a page like this one...http://u.neighborrow.com/items/recent

CakePHP already protects you against SQL Injection if you use CakePHP's ORM methods (such as find() and save()) and proper array notation (ie. array('field' => $value)) instead of raw SQL. For sanitization against XSS its generally better to save raw HTML in database without modification and sanitize at the time of output/display.

This should give you a good idea of how to do it.

App::import('Sanitize'); 
class MyController extends AppController {     ...     ... } 

Once you've done that, you can make calls to Sanitize statically.

CakePHP takes care of it. Read their book.

You need sanitize only in the rare cases where you need to write raw queries.

Raw query is:

$this->User->query("select username from users where email='$email_received_from_user_form'");

before executing that you need to:

App::import('Sanitize');

$email_received_from_user_form = Sanitize::paranoid($email_received_from_user_form, array('@', '_', '-', '.'));

If used right data sanitization will remove/edit all the malicious chars in the query (no sql injections).

See here: http://book.cakephp.org/2.0/en/core-utility-libraries/sanitize.html

After you learn all about Data Sanitization try to never use it. Use the CakePHP way like so:

$this->User->field('username', array('email' => $email_received_from_user_form));

I this case you don't have to worry about SQL injections at all. You should never use raw queries unless your don't have other choice.