[FIXED] CakePHP 3: search form with get method and find condition, how to prevent SQL injection?

Issue

I have an HTML form with the GET method, and five text input field, which should help to filter the data. When users fill one or more fields, these data are shown as url query.

My question is how to safely use the this query data without the possibility of SQL injection?

EDIT Of course, is a simple filtering of user data, by name, location, etc., not fulltext search.

'first_name LIKE' => '%'.$this->request->query('first_name').'%'

Where is in the documentation explained bind method, like ?

->bind(':name', $this->request->query('name'))

Solution

To avoid SQL injection vulnerabilities, you can use query placeholders.

Your code should look something similar to

$query = $this->Users->find()
    ->where([
        'first_name LIKE' => '%:name%'
    ])
    ->bind(':name', $this->request->query('first_name'));

More information in:

• Binding Values in Cookbook 3.x: Database Access & ORM
• Query::bind()

Answered By - Inigo Flores