Issue
I have an HTML form with the GET method, and five text input field, which should help to filter the data. When users fill one or more fields, these data are shown as url query.
My question is how to safely use the this query data without the possibility of SQL injection?
EDIT Of course, is a simple filtering of user data, by name, location, etc., not fulltext search.
'first_name LIKE' => '%'.$this->request->query('first_name').'%'
Where is in the documentation explained bind method, like ?
->bind(':name', $this->request->query('name'))
Solution
To avoid SQL injection vulnerabilities, you can use query placeholders.
Your code should look something similar to
$query = $this->Users->find()
->where([
'first_name LIKE' => '%:name%'
])
->bind(':name', $this->request->query('first_name'));
More information in:
- Binding Values in Cookbook 3.x: Database Access & ORM
Query::bind()
Answered By - Inigo Flores
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.