March 2, 2012

Am I protected from MySQL injection when I am using $this->data?

Question by huzzah

I am new to cakephp and security. I have read that security is built in for protection from MySQL injection if you follow cake’s conventions, but can someone tell me if my save() will be safe without manually calling the Security class?

function edit($id) {
 $this->set('title', 'Edit your property');
 $this->Unit->id = $id;    
 if (empty($this->data)) {        
$this->data = $this->Unit->read();    
} else { 

    if ($this->Unit->saveAll($this->data)) {            
        $this->Session->setFlash('Your property has been updated.');            

        }   
}
}

Answer by Achamenes

CakePHP will quote the data for you. Unless you are using a method similar to:

$this_year = date('Y-m-d h:i:s', strtotime('-1 year'));

$this->Baker->updateAll(
    array('Baker.approved' => true),
    array('Baker.created <=' => $this_year)
);

which takes SQL literals, you are safe and must not quote the data yourself to avoid getting the quotes in the data. Source: http://book.cakephp.org/2.0/en/models/saving-your-data.html

Answer by Starx

I will say no as your parameter is not specialised or sanitized anywhere. Something like this, would limit the risk

function edit($id) { 
   // type cast the id to be forced into number and check if $id has greater than 1 
   if((int)$id > 0) {

   // hence the injection vulnerability at $id is fixed
   //....remaining part
   }
}
...

Please fill the form - I will response as fast as I can!