{"id":4223,"date":"2022-08-22T00:26:17","date_gmt":"2022-08-21T18:56:17","guid":{"rendered":"https:\/\/jassweb.com\/solved\/solved-how-to-prevent-sql-injections-in-manually-created-queries\/"},"modified":"2022-08-22T00:26:17","modified_gmt":"2022-08-21T18:56:17","slug":"solved-how-to-prevent-sql-injections-in-manually-created-queries","status":"publish","type":"post","link":"https:\/\/jassweb.com\/solved\/solved-how-to-prevent-sql-injections-in-manually-created-queries\/","title":{"rendered":"[Solved] How to prevent SQL injections in manually created queries?"},"content":{"rendered":"

[ad_1]
\n<\/p>\n

\n
\n
<\/div>\n
\n
\n
\n

I dont want to use other method<\/p>\n<\/blockquote>\n

You should use whatever provides the required functionality, not the method that you like more over others!<\/p>\n

Also you should never access superglobals directly in CakePHP, this will only bring you in trouble, especially in unit tests. User the proper abstracted methodes provided by the request object, that is CakeRequest::query()<\/code>.<\/p>\n

Cookbook > Controllers > Request and Response objects > Accessing Querystring parameters<\/a><\/strong><\/p>\n

\n

Use prepared statements<\/h2>\n

That being said, use prepared statements, either by passing the values to bind to the second argument of Model::query()<\/code>:<\/p>\n

$result = $this->Search->query(\n    \"select * from subcategories where subcat_name like ? and subcat_status=\"active\"\",\n    array('%' . $this->request->query('searchkey') . '%')\n);\n<\/code><\/pre>\n
API > Model::query()<\/a><\/strong><\/p>\n
or by using DboSource::fetchAll()<\/code>, which accepts parameters as the second argument too:<\/p>\n
$db = $this->Search->getDataSource();\n$result = $db->fetchAll(\n    \"select * from subcategories where subcat_name like ? and subcat_status=\"active\"\",\n    array('%' . $this->request->query('searchkey') . '%')\n);\n<\/code><\/pre>\n