什么时候在CakePHP中进行消毒 [英] When to do sanitization in CakePHP
问题描述
我从食谱中读取(第4.2节)
I read from the cookbook (sec. 4.2)
CakePHP已经保护您免受SQL注入,如果您使用CakePHP的ORM方法如find()和save())和适当的数组符号(即array('field'=> $ value))而不是原始SQL。对于针对XSS的清理,通常更好地在数据库中保存原始HTML而不修改,并在输出/显示时清理。
CakePHP already protects you against SQL Injection if you use CakePHP's ORM methods (such as find() and save()) and proper array notation (ie. array('field' => $value)) instead of raw SQL. For sanitization against XSS its generally better to save raw HTML in database without modification and sanitize at the time of output/display.
我们确信我们从来不需要手动清理用户数据对SQL,只要我们限制的方法,如find()和save()?特别是,这是真的如果我直接从$ _POST而不是从$ this->数据我的数据?换句话说,假设我使用$ this-> data做一个find()查询。那么CakePHP在编写数组$ this-> data时或者在为find()编写查询时清除SQL?
So are we sure that we NEVER need to manually sanitize user data against SQL, provided we restrict to methods such as find() and save()? Especially, is this true if I take my data from $_POST directly instead than from $this->data? In other words suppose I do a find() query using $this->data. Then CakePHP sanitize against SQL when writing the array $this->data or when writing the query for find()?
我的第二个问题是要清理要显示的数据。是Sanitize :: html idempotent?所以,我可以在我的beforeSave()方法中使用它,还是会打破第二次我保存beacuse它再次应用,并给出一个新的结果?
My second question is for sanitizing data to be displayed. Is Sanitize::html idempotent? So, can I use it in my beforeSave() method, or will it break the second time I save beacuse it is applied again and gives a new result?
推荐答案
关于此问题:
CakePHP在写入数组$ this-> data或写入时清除SQL查询find()?
CakePHP sanitize against SQL when writing the array $this->data or when writing the query for find()?
Cakephp不会清除控制器中的$ this-> data,在Dispatcher :: parseParams() http://api13.cakephp.org/view_source/dispatcher/#line-244你会看到,当$ _POST被复制到控制器数据的值不被清理。
Cakephp does not sanitize $this->data in the controller, if you check the cake code, in Dispatcher::parseParams() http://api13.cakephp.org/view_source/dispatcher/#line-244 you will see that when $_POST is copied to controller data the values are not sanitized.
但是,不推荐使用$ _POST,因为你会松动所有在使用表单助手
However, using $_POST is not recommended because you will loose all the cake's magic that you gain when using the form helper
这篇关于什么时候在CakePHP中进行消毒的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
