John Davidson

Message:

I'm performing an SQL query in my Cake PHP 2.10 application and need to insert a value that's retrieved from another query. I've been reading the docs for Cake 2 and came across this note:

If you use this method, be sure to properly escape all parameters using the value() method on the database driver. Failing to escape parameters will create SQL injection vulnerabilities.

I can't seem to find the value() method, so have opted to use the htmlspecialchars function provided by PHP.

Given that my value is taken from another query, the risk of a malformed value or tampered value is quite low, so is this fine?

How else can I escape my string to ensure it doesn't mess up the query?

My query in my function looks like:

$redirection_key = $this->request->query['r'];

$redirect = $this->Redirect->findByRedirectionKey($redirection_key);



$appID = htmlspecialchars($redirect['Redirect']['application_id']);

$applicationPayday = $this->Application->query("SELECT * FROM tlp_applications WHERE id = $appID");

Is $appID okay in this instance?

---

My Answer:
>Model->query("SELECT redirection_key FROM redirections WHERE id = " . htmlspecialchars($id));