SQL Injection at CakePHP 2.0 -

when execute url @ website data @ "post" table deleted:

http://mysite.com/posts/getposts/29;set foreign_key_checks = 0;delete posts;

or

http://mysite.com/posts/getposts/29;set foreign_key_checks = 0;

currently function @ postcontroller this:

public function getposts($iduser, $return = true){     $iduser = sanitize::clean($iduser);           //calling post model...     $posts = $this->post->getposts($iduser); 

}

and yeah... im sorry have sql sentence @ post model called "getposts". (but can not change now...)

i thought sanitize enought... how can solve it?? there equivalent mysql_real_escape_string @ cakephp when work own sql functions?

thanks.

cakephp 2.x protect against sql injection long use built-in query builders find , save.

if table ids integer there quick , easy hack makes security. use php's integer type converter on parameter. either convert correct id value or zero. there no need sanitize integer value.

public function getposts($iduser, $return = true) {     $posts = $this->post->getposts((int)$iduser); } 

i time in models , it's habit develop.