Data sanitization is the process of deliberately, permanently, and irreversibly removing or destroying the data stored on a memory device. A device that has been sanitized has no usable residual data and even advanced forensic tools should not ever be able recover erased data.
Instead of using the destructive input filtering features of Sanitize class we should instead apply more thorough Data Validation to the user data our application accepts. By rejecting invalid input we can often remove the need to destructively modify user data. We might also want to look at PHP’s filter extension in situations we need to modify user input.
Accepting user submitted HTML
Often input filtering is used when accepting user-submitted HTML. In these situations it is best to use a dedicated library like HTML Purifier
CakePHP handles SQL escaping on all parameters to Model::find() and Model::save(). In the rare case we need to construct SQL by hand using user input we should use Prepared Statements.
When to do sanitization in CakePHP
For most of CakePHP’s model functions we don’t have to worry about escaping the input.
CakePHP already protects us against SQL Injection if we use:
CakePHP’s ORM methods (such as find() and save()) plus:
Proper array notation (ie. array(‘field’ => $value)) instead of raw SQL.
For sanitization against XSS its generally better to save raw HTML in database without modification and sanitize at the time of output/display.
See https://book.cakephp.org/2.0/en/core-utility-libraries/sanitize.html There are other cases, however, when you need to run a custom SQL query or subquery. In these cases you can either:
>> We do a find() query using $this->data. Then CakePHP sanitize against SQL when writing the array $this->data or when writing the query for find()?
Cakephp does not sanitize $this->data in the controller, if we check the cake code, in Dispatcher::parseParams() http://api13.cakephp.org/view_source/dispatcher/#line-244 we will see that when $_POST is copied to controller data the values are not sanitized.
However, using $_POST is not recommended because we will loose all the cake’s magic that we gain when using the form helper.
Want to develop a best website for your business? Solace is the best place for development. Dedicated team of Solace will provide the best development using PHP frameworks like CakePHP, that bring your company the success it deserves. Developer’s at solace are well trained with the new functionalities like data sanitization. Feel free to contact us for effective web development with best PHP frameworks.