如何在CakePHP中转义SQL数据? [英] How do you escape SQL data in CakePHP?
问题描述
出于某种原因, AppModel-> updateAll )
方法不会转移传递给它的数据。查看文档虽然,我找不到任何关于如何使用CakePHP实际转义数据。
For some reason the AppModel->updateAll()
method does not escape data passed to it. Looking over the documentation though, I can't find anything on how you actually escape data with CakePHP.
下来在 datasources / dbo / dbo_mysql。我发现
value()
方法,似乎只是使用 mysql_real_escape_string()
但是如何从模型中访问该方法?
Down in datasources/dbo/dbo_mysql.php
I found the value()
method that seems to just use mysql_real_escape_string()
- but how do you access that method from up in the models?
推荐答案
对于大多数的CakePHP模型
For most of CakePHP's model functions you don't have to worry about escaping the input.
CakePHP已经保护你免受
SQL注入,如果你使用:
CakePHP already protects you against SQL Injection if you use:
- CakePHP的ORM
方法(例如find()
code> save())plus: - 正确的数组符号(即
=> $ value)
)而不是
raw SQL。
- CakePHP's ORM
methods (such as
find()
andsave()
) plus: - Proper array notation (ie.
array('field' => $value)
) instead of raw SQL.
它通常更好地在数据库中保存原始HTML
而不修改,
输出/显示时
sanitize。
For sanitization against XSS its generally better to save raw HTML in database without modification and sanitize at the time of output/display.
请参阅 http://book.cakephp.org/view/153/Data-Sanitization
但是,当您需要运行自定义SQL查询或子查询时,还有其他情况。在这些情况下,您可以:
There are other cases, however, when you need to run a custom SQL query or subquery. In these cases you can either:
$db->fetchAll(
'SELECT * from users where username = :username AND password = :password',
['username' => 'jhon','password' => '12345']
);
自定义转义 Model-> getDataSource() - > value )
Custom Escaping with Model->getDataSource()->value()
$sql = 'SELECT * FROM table WHERE name = '
. $this->MyModel->getDataSource()->value($untrustedInput, 'string') . ';'
value()
基本上转义并添加如下引号:
The value()
function basically escapes and adds quotes like this:
"'" . mysql_real_escape_string($data, $this->MyModel->getDataSource()->connection) . "'"
清洁班
是一个选项,但自CakePHP 2.4起已被弃用。
Sanitize Class
This used to be an option, but was deprecated as of CakePHP 2.4.
这篇关于如何在CakePHP中转义SQL数据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!