Sanitizing data / SQL injections in CakePHP

Question

In the CakePHP Docs it states

CakePHP handles SQL escaping on all parameters to Model::find() and Model::save(). 

I was reading up on security and sanitizing data with CakePHP and I came across this blog post.

In the author's first two examples (assuming you're using Cake 2.X), is it true that if you set a variable to some POST data, then use that variable in a find statement you're still vulnerable to SQL injection?

The author states in this example Cake will protect you from SQL injection

$articles = $this->Article->find('all', array(
                'conditions' => array(
                    'Article.date' => $this->request->data['Article']['date'],
                )
            )
        );

Where as this one would leave you vulnerable to SQL injection unless you use the sanitize utility on the $date variable.

$date = $this->request->data['Article']['date']
$articles = $this->Article->find('all', array(
                    'conditions' => array(
                        "Article.date='{$date}'",
                    )
                )
            );

Seeing as they're both the same value ($date and $this->request->data['Article']['date']), does Cake actually handle them differently?

Also, I noticed the CakePHP documents state Sanitize is deprecated as of 2.4. I'm currently using 2.3.9. Is it still OK to use it, or should I switch to a library like HTML Purifier?

EDIT

I just noticed that the author uses "Article.date='{$date}'" rather than Article.date => $date.

Answer 1

The variables are escaped if you are using

'conditions' => array(
    'Article.date' => $this->request->data['Article']['date'],
 )

In the second example, you would need to be responsible to escape the $date variable first.

Where are you using the sanitize class now? The suggestions from the documentation might apply to you case too.