Fix SQL Injection (Legacy & Modern) in CakePHP

SQL Injection in CakePHP isn't dead; it just evolved. While the ORM handles most heavy lifting, developers often bypass security by concatenating strings in 'where' clauses or using raw SQL fragments. In legacy 2.x environments, the risk is rampant due to loose array handling, while in modern 3.x/4.x/5.x versions, the danger lies in treating the Query Builder like a string concatenator. To secure these, you must force the ORM to use PDO prepared statements by passing data as key-value pairs.

The Vulnerable Pattern

// Legacy CakePHP 2.x - Vulnerable to string interpolation
$results = $this->User->find('all', array(
    'conditions' => "User.username = '" . $userInput . "'"
));
// Modern CakePHP 4.x/5.x - Vulnerable via raw string in where()
$query = $this->Users->find()->where(“username = ’” . $userInput . ”’”);

The Secure Implementation

The vulnerability occurs when user input is treated as part of the SQL command rather than data. In the vulnerable examples, the input directly modifies the SQL structure. By switching to array syntax (e.g., ['field' => $value]), you trigger CakePHP's internal integration with PDO prepared statements. This separates the query logic from the data, making it impossible for a malicious payload to break out of the string literal and execute arbitrary SQL. For raw or complex queries where array syntax isn't enough, always use the 'bind()' method to explicitly define placeholders and types.

// Legacy CakePHP 2.x - Secure via array syntax (Auto-binding)
$results = $this->User->find('all', array(
    'conditions' => array('User.username' => $userInput)
));
// Modern CakePHP 4.x/5.x - Secure via Query Builder array mapping
$query = $this->Users->find()->where([‘username’ => $userInput]);
// Modern CakePHP - Secure via Manual Parameter Binding for complex queries
$query = $this->Users->find();
$query->where([‘username’ => ‘:user’])
->bind(‘:user’, $userInput, ‘string’);