Home/ Questions/Q 1003671
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T08:00:54+00:00

For some reason the AppModel->updateAll() method does not escape data passed to it. Looking

  • 0

For some reason the AppModel->updateAll() method does not escape data passed to it. Looking over the documentation though, I can’t find anything on how you actually escape data with CakePHP.

Down in datasources/dbo/dbo_mysql.php I found the value() method that seems to just use mysql_real_escape_string() – but how do you access that method from up in the models?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    For most of CakePHP’s model functions you don’t have to worry about escaping the input.

    CakePHP already protects you against
    SQL Injection if you use:

    1. CakePHP’s ORM
      methods (such as find() and save()) plus:
    2. Proper array notation (ie.
      array('field' => $value)) instead of
      raw SQL.

    For sanitization against XSS
    its generally better to save raw HTML
    in database without modification and
    sanitize at the time of
    output/display.

    See https://book.cakephp.org/2.0/en/core-utility-libraries/sanitize.html
    There are other cases, however, when you need to run a custom SQL query or subquery. In these cases you can either:

    Use Prepared Statements

    $db->fetchAll(
    'SELECT * from users where username = :username AND password = :password',
    ['username' => 'jhon','password' => '12345']
);

    Custom Escaping with Model->getDataSource()->value()

    $sql = 'SELECT * FROM table WHERE name = ' 
     . $this->MyModel->getDataSource()->value($untrustedInput, 'string') . ';'

    The value() function basically escapes and adds quotes like this:

    "'" . mysql_real_escape_string($data, $this->MyModel->getDataSource()->connection) . "'"

    Sanitize Class

    This used to be an option, but was deprecated as of CakePHP 2.4.

    • 0