How do I block sql injections in CAKEphp

Question

How do I block sql injections from a page like this one...http://u.neighborrow.com/items/recent

Answer 1

You need sanitize only in the rare cases where you need to write raw queries.

Raw query is:

$this->User->query("select username from users where email='$email_received_from_user_form'");

before executing that you need to:

App::import('Sanitize');

$email_received_from_user_form = Sanitize::paranoid($email_received_from_user_form, array('@', '_', '-', '.'));

If used right data sanitization will remove/edit all the malicious chars in the query (no sql injections).

See here: http://book.cakephp.org/2.0/en/core-utility-libraries/sanitize.html

After you learn all about Data Sanitization try to never use it. Use the CakePHP way like so:

$this->User->field('username', array('email' => $email_received_from_user_form));

I this case you don't have to worry about SQL injections at all. You should never use raw queries unless your don't have other choice.

Answer 2

CakePHP takes care of it. Read their book.

Answer 3

CakePHP already protects you against SQL Injection if you use CakePHP's ORM methods (such as find() and save()) and proper array notation (ie. array('field' => $value)) instead of raw SQL. For sanitization against XSS its generally better to save raw HTML in database without modification and sanitize at the time of output/display.

This should give you a good idea of how to do it.

App::import('Sanitize'); 
class MyController extends AppController {     ...     ... } 

Once you've done that, you can make calls to Sanitize statically.