在CakePHP中转义字段数组

时间:2014-03-10 09:32:24

标签: php security cakephp model

我目前有:

$subQuery = $dbo->buildStatement(
        array(
            'fields' => array(
                "CASE
                    WHEN
                        Application.program_type_id = 3
                        AND Application.program_type_id IS NOT NULL
                        THEN {$keys['program_type_id_program_type_id']}
                        ELSE 0
                END as program_type_score,
                CASE
                    WHEN
                        Application.priority_subject_area_id = 1
                        AND Application.priority_subject_area_id IS NOT NULL
                        THEN {$keys['priority_subject_area_id_priority_subject_area_id']}
                        ELSE 0
                END as priority_subject_area_priority_subject_area_score,
                User.*"
            ),
            'table' => $dbo->fullTableName($this),
            'alias' => 'User',
            'limit' => null,
            'offset' => null,
            'joins' => $joins,
            'conditions' => array(
                'Application.state' => 'accepted',
                'Role.role' => 'mentor'
            ),
            'order' => null,
            'group' => null
        ),
        $this->User
    );

我需要更改案例陈述:

CASE
                        WHEN
                            Application.program_type_id = 3
                            AND Application.program_type_id IS NOT NULL
                            THEN {$keys['program_type_id_program_type_id']}
                            ELSE 0
                    END as program_type_score

到此:

CASE
                        WHEN
                            Application.program_type_id = $user['User']['value']
                            AND Application.program_type_id IS NOT NULL
                            THEN {$keys['program_type_id_program_type_id']}
                            ELSE 0
                    END as program_type_score

如何逃避$user['User']['value']?将Sanitize :: escape()工作,但是,它已被弃用。

2 个答案:

答案 0 :(得分:0)

我在php中使用单引号,所以我这样做的方式是:

'CASE
                    WHEN
                        Application.program_type_id = '.$user['User']['value'].'
                        AND Application.program_type_id IS NOT NULL
                        THEN {$keys['program_type_id_program_type_id']'}
                        ELSE 0
                END as program_type_score'
enter code here

你应该完成。

我更喜欢单引号的原因之一。有时候会有更多的工作,但通常不用担心逃避事情。至少你不会使用PHP变量将HTML与Javascript混合使用。然后它总是很乱。

希望有所帮助。

答案 1 :(得分:0)

似乎CakePHP在find()方法上自行逃避,正如文档所说:http://book.cakephp.org/2.0/en/core-utility-libraries/sanitize.html#sql-escaping