Home/ Questions/Q 8758313
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T14:30:53+00:00

I was under the impression that the FormHelper not only automatically protects me from

  • 0

I was under the impression that the FormHelper not only automatically protects me from SQL injection, but also per default escapes special characters like the HtmlHelper does. However, when I have: 

<?php echo $this->Form->input('field', array('escape' => true)); ?>

And then enter & and ‘ for example into the field and hit save. These special characters get saved to the database without any escaping. This also happens without setting the option escape to true. So my question follows.

Is it true the CakePHP is designed so that you are not supposed nor able to escape a form field before saving using the options for the FormHelper? Or am I doing something wrong?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You do it wrong, you should escape all kind of output that is not going through a core helper by using the h() function, a shortcut for htmlspecialchars(). The core helpers, like Html::link() will do that escaping automatically.

    See also How to escape output in PHP

    • 0