Home/ Questions/Q 3333950
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T23:51:07+00:00

I read from the cookbook (sec. 4.2) CakePHP already protects you against SQL Injection

  • 0

I read from the cookbook (sec. 4.2)

CakePHP already protects you against SQL Injection if you use CakePHP’s ORM methods (such as find() and save()) and proper array notation (ie. array(‘field’ => $value)) instead of raw SQL. For sanitization against XSS its generally better to save raw HTML in database without modification and sanitize at the time of output/display.

So are we sure that we NEVER need to manually sanitize user data against SQL, provided we restrict to methods such as find() and save()? Especially, is this true if I take my data from $_POST directly instead than from $this->data? In other words suppose I do a find() query using $this->data. Then CakePHP sanitize against SQL when writing the array $this->data or when writing the query for find()?

My second question is for sanitizing data to be displayed. Is Sanitize::html idempotent? So, can I use it in my beforeSave() method, or will it break the second time I save beacuse it is applied again and gives a new result?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    About this question:

    CakePHP sanitize against SQL when writing the array $this->data or when writing the query for find()?

    Cakephp does not sanitize $this->data in the controller, if you check the cake code, in Dispatcher::parseParams() http://api13.cakephp.org/view_source/dispatcher/#line-244 you will see that when $_POST is copied to controller data the values are not sanitized.

    However, using $_POST is not recommended because you will loose all the cake’s magic that you gain when using the form helper

    • 0