Home/ Questions/Q 8538683
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T11:10:48+00:00

I just read this quite interesting post about security for CakePHP: Cakephp Security It

  • 0

I just read this quite interesting post about security for CakePHP: Cakephp Security

It says that whenever a helper is used, CakePHP basically takes care security risks unless I turn of escape. I believe I only turn off escape when I want my links to be images, so nesting an image helper line inside a link helper line. For example:

echo $this->Html->link($this->Html->image('logo.png'), "/" , array('id'=>'logo', 'escape' => false));

Is that bad practise? Does that leave me vulnerable? Should I be doing it some other way?

Additionally, is it correct that whenever I output database data on dynamic pages, it needs to be enclosed in htmlspecialchars($myvariable)? I don’t understand why I need to do that if I know that my database is clean from “bad stuff” and all of my forms for input into my database uses FormHelper.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    In the example code shown you have all static values, no content coming from user so there’s no risk.

    Similarly for your content coming from database if for eg. all content is managed by site admin and no content from users is saved to database its reasonably safe to echo the content without escaping.

    • 0