如何在CakePHP中转义SQL数据? [英] How do you escape SQL data in CakePHP?

查看:144
本文介绍了如何在CakePHP中转义SQL数据?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

出于某种原因, AppModel-> updateAll ) 方法不会转移传递给它的数据。查看文档虽然,我找不到任何关于如何使用CakePHP实际转义数据。

For some reason the AppModel->updateAll() method does not escape data passed to it. Looking over the documentation though, I can't find anything on how you actually escape data with CakePHP.

下来在 datasources / dbo / dbo_mysql。我发现 value()方法,似乎只是使用 mysql_real_escape_string()但是如何从模型中访问该方法?

Down in datasources/dbo/dbo_mysql.php I found the value() method that seems to just use mysql_real_escape_string() - but how do you access that method from up in the models?

推荐答案

对于大多数的CakePHP模型

For most of CakePHP's model functions you don't have to worry about escaping the input.


CakePHP已经保护你免受
SQL注入,如果你使用:

CakePHP already protects you against SQL Injection if you use:


  1. CakePHP的ORM
    方法(例如 find() code> save()    )plus:

  2. 正确的数组符号(即
    => $ value))而不是
    raw SQL。

  1. CakePHP's ORM methods (such as find() and save()) plus:
  2. Proper array notation (ie. array('field' => $value)) instead of raw SQL.


它通常更好地在数据库中保存原始HTML
而不修改,
输出/显示时
sanitize。

For sanitization against XSS its generally better to save raw HTML in database without modification and sanitize at the time of output/display.

请参阅 http://book.cakephp.org/view/153/Data-Sanitization

但是,当您需要运行自定义SQL查询或子查询时,还有其他情况。在这些情况下,您可以:

There are other cases, however, when you need to run a custom SQL query or subquery. In these cases you can either:

$db->fetchAll(
    'SELECT * from users where username = :username AND password = :password',
    ['username' => 'jhon','password' => '12345']
);



自定义转义 Model-> getDataSource() - > value )



Custom Escaping with Model->getDataSource()->value()

$sql = 'SELECT * FROM table WHERE name = ' 
     . $this->MyModel->getDataSource()->value($untrustedInput, 'string') . ';'

value()基本上转义并添加如下引号:

The value() function basically escapes and adds quotes like this:

"'" . mysql_real_escape_string($data, $this->MyModel->getDataSource()->connection) . "'"



清洁班



是一个选项,但自CakePHP 2.4起已被弃用。

Sanitize Class

This used to be an option, but was deprecated as of CakePHP 2.4.

这篇关于如何在CakePHP中转义SQL数据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆