PHPFixing
  • Privacy Policy
  • TOS
  • Ask Question
  • Contact Us
  • Home
  • PHP
  • Programming
  • SQL Injection
  • Web3.0

Monday, February 21, 2022

[FIXED] CakePHP 3: search form with get method and find condition, how to prevent SQL injection?

 February 21, 2022     cakephp, cakephp-3.0     No comments   

Issue

I have an HTML form with the GET method, and five text input field, which should help to filter the data. When users fill one or more fields, these data are shown as url query.

My question is how to safely use the this query data without the possibility of SQL injection?

EDIT Of course, is a simple filtering of user data, by name, location, etc., not fulltext search.

'first_name LIKE' => '%'.$this->request->query('first_name').'%'

Where is in the documentation explained bind method, like ?

->bind(':name', $this->request->query('name'))


Solution

To avoid SQL injection vulnerabilities, you can use query placeholders.

Your code should look something similar to

$query = $this->Users->find()
    ->where([
        'first_name LIKE' => '%:name%'
    ])
    ->bind(':name', $this->request->query('first_name'));

More information in:

  • Binding Values in Cookbook 3.x: Database Access & ORM
  • Query::bind()


Answered By - Inigo Flores
  • Share This:  
  •  Facebook
  •  Twitter
  •  Stumble
  •  Digg
Newer Post Older Post Home

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...

Subscribe To

Posts
Atom
Posts
Comments
Atom
Comments

Copyright © PHPFixing