In the CakePHP Docs it states
CakePHP handles SQL escaping on all parameters to Model::find() and Model::save().
I was reading up on security and sanitizing data with CakePHP and I came across this blog post.
In the author's first two examples (assuming you're using Cake 2.X), is it true that if you set a variable to some POST data, then use that variable in a find statement you're still vulnerable to SQL injection?
The author states in this example Cake will protect you from SQL injection
$articles = $this->Article->find('all', array(
'conditions' => array(
'Article.date' => $this->request->data['Article']['date'],
)
)
);
Where as this one would leave you vulnerable to SQL injection unless you use the sanitize utility on the $date variable.
$date = $this->request->data['Article']['date']
$articles = $this->Article->find('all', array(
'conditions' => array(
"Article.date='{$date}'",
)
)
);
Seeing as they're both the same value ($date and $this->request->data['Article']['date']), does Cake actually handle them differently?
Also, I noticed the CakePHP documents state Sanitize is deprecated as of 2.4. I'm currently using 2.3.9. Is it still OK to use it, or should I switch to a library like HTML Purifier?
EDIT
I just noticed that the author uses "Article.date='{$date}'" rather than Article.date => $date.
