Am I protected from MySQL injection when I am using $this->data?

Question

I am new to cakephp and security. I have read that security is built in for protection from MySQL injection if you follow cake's conventions, but can someone tell me if my save() will be safe without manually calling the Security class?

function edit($id) {
 $this->set('title', 'Edit your property');
 $this->Unit->id = $id;    
 if (empty($this->data)) {        
$this->data = $this->Unit->read();    
} else { 

    if ($this->Unit->saveAll($this->data)) {            
        $this->Session->setFlash('Your property has been updated.');            

        }   
}
}

Answer 1

Cake escapes the data IF you use the db-funcitons of cake (like $this->modelname->save($this->data) or $this->find(..)), be aware that if you use custom queries like $this->query("SELECT * FROM table WHERE id = '.$this->data['model']['id']); cake will NOT escape them, keep that in mind!

Answer 2

I will say no as your parameter is not specialised or sanitized anywhere. Something like this, would limit the risk

function edit($id) { 
   // type cast the id to be forced into number and check if $id has greater than 1 
   if((int)$id > 0) {

   // hence the injection vulnerability at $id is fixed
   //....remaining part
   }
}

Answer 3

CakePHP will quote the data for you. Unless you are using a method similar to:

$this_year = date('Y-m-d h:i:s', strtotime('-1 year'));

$this->Baker->updateAll(
    array('Baker.approved' => true),
    array('Baker.created <=' => $this_year)
);

which takes SQL literals, you are safe and must not quote the data yourself to avoid getting the quotes in the data. Source: http://book.cakephp.org/2.0/en/models/saving-your-data.html