yep - as long as you use the default find() method you will be fine for custom sql queries you need to sanitize or escape your content. but thats documented for the different functions, I think.
On 12 Dez., 04:45, Jamie <jamie....@gmail.com> wrote: > My post didn't mention checking for a valid ID or saving. I said that > Cake's DB layer sanitizes values before passing them to your database. > In other words, it filters out SQL injection attempts. To connect the > dots, this means that, no, you shouldn't have to do extra checking > (though a redundant check isn't the end of the world!). > > - Jamie > > On Dec 11, 4:07 pm, "Dave Maharaj" <m...@davemaharaj.com> wrote: > > > > > > > > > What im trying to say is take site/some/action/id for example > > > Nothing to do with checking if it’s a valid id nothing to do with saving. > > > Can a user add anything into the url to act as an attempt to reek havoc. Say > > the id is as an example 123 and someone types in select* from I don’t know > > anything malicious so that just what I am trying to say. Similar to > > injections thru a form but this time in the url. Just like sanitize a form > > before you save, is there anything you need to do to a variable from the > > url? That’s what im trying to ask. > > > Do you just trust the the id passed will be good. I know check if id 123 > > belongs to user....but I want to know can a user manually type something > > into the place of id that would be harful to the site? > > > -----Original Message----- > > From: Jamie [mailto:jamie....@gmail.com] > > Sent: December-11-10 4:16 PM > > To: CakePHP > > Subject: Re: Passing Variable to delete > > > Cake's DB layer (i.e. DboSource and its children) sanitizes everything > > before passing it to your database. > > > - Jamie > > > On Dec 11, 6:29 am, "Dave Maharaj" <m...@davemaharaj.com> wrote: > > > When passing an id / slug thru a url for delete is there any security > > > precautions to add? > > > > Example > > > > Function delete ($id) { > > > > $this->Model->deleteAll(array(Model.id => $id, Model.owner => > > > $this->Auth->user('id'))); > > > > } > > > > So I pretty much always use deleteAll so its got multiple values of > > checking > > > rightful owner / permission to delete but I'm more curious about the > > passing > > > of the actual $id since anyone can pass anything they want as an $id if > > they > > > want to get smart and mess with your site. So what should you do? Any > > added > > > precautions? Sanitize:: the slug / id? > > > > Thanks, > > > > Dave > > > Check out the new CakePHP Questions sitehttp://cakeqs.organdhelp others > > with their CakePHP related questions. > > > You received this message because you are subscribed to the Google Groups > > "CakePHP" group. > > To post to this group, send email to cake-php@googlegroups.com > > To unsubscribe from this group, send email to > > cake-php+unsubscr...@googlegroups.com For more options, visit this group > > athttp://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
