This document is for a version of CakePHP that is no longer supported. Please upgrade to a newer release!
The Sanitize
class is deprecated as of 2.4, and will be removed in CakePHP
3.0. Instead of using the Sanitize class you can accomplish the same tasks using
other parts of CakePHP, native PHP functions, or other libraries.
Instead of using the destructive input filtering features of Sanitize class you should instead apply more thorough Data Validation to the user data your application accepts. By rejecting invalid input you can often remove the need to destructively modify user data. You might also want to look at PHP’s filter extension in situations you need to modify user input.
Often input filtering is used when accepting user-submitted HTML. In these situations it is best to use a dedicated library like HTML Purifier.
CakePHP handles SQL escaping on associated array values provided to
Model::find()
and Model::save()
. In the rare case you
need to construct SQL by hand using user input you should use
Prepared Statements.