0

I am using cakephp. And i have written some cakephp find queries inside routes file. The requirement was to create dynamic url. But i have doubts whether it is safe to write queries in route file or is there any chances of SQL injection for this. If it is unsafe then what are the threats that will affect my website and what should i do to prevent these web threats.

Archana Behera
  • 3
  • 2

1 Answers1

0

No this sounds like terrible code smell.

What you want sounds as well like you want to use slugs or resolve URLs to something in the DB. Here is how to do it right:

  • Create a custom route class (SlugRoute, DbLookupRoute...)
  • Create a model method (MyUrLModel::lookup($url) for example) that does the actual lookup
  • Load that model in the Route class
  • Use the custom route class in your routes.php
  • Optional but a good idea to implement: Caching of the route lookup.

All of the above is described on book.cakephp.org, pay attention to the chapter about the router.

floriank
  • 25,546
  • 9
  • 42
  • 66
  • Thanks for the reply. – Archana Behera Jul 10 '15 at 12:53
  • But actually the scenario is that in my site, admin has an access to create web page dynamically. For each page, there is a title field in the form and i am creating slug using that title and storing it into the database in back end. Using element i am displaying menus in header and below is my code that i have written in routes. – Archana Behera Jul 10 '15 at 13:03
  • Router::connect('/', array('controller' => 'Pages', 'action' => 'index')); // Website Landing Page App::import('Model', 'Page'); $Page = new Page(); $pages = $Page ->find('all',array('conditions'=>array('status'=>1))); foreach($pages as $page){ Router::connect('/'.$page['Page']['link'], array('controller' => 'Pages', 'action' => 'index', $page['Page']['link'])); } – Archana Behera Jul 10 '15 at 13:04
  • It doesn't matter if you use a slug or a complete path, my answer is still the same. Just compare the whole URL instead of a part of it against your DB records, everything else in my answer stays exactly the same. – floriank Jul 10 '15 at 14:21