Use placeholder in Model::query() of CakePHP

I’m using CakePHP1.2.3
Model::query() is very useful for writing SQL statements as follow.


$this->Model->query("SELECT `Post`.`id` FROM `posts` AS `Post` WHERE `Post`.`id` = 100", $cachequeries = false);

To avoid SQL Injection, we want to use placeholders instead of embedding user input value in the statement.
We use “?” character in the SQL statement, set array data in 2nd parameter of the query method.
If 2nd parameter is array data in query method, it executes DboMysql::value() for escape value, using the “mysql_real_escape_string” function.


$sql = "SELECT `Post`.`id` FROM `posts` AS `Post` WHERE `Post`.`id` = ? LIMIT ?";
$this->Model->query($sql, array(100,1), $cachequeries = false);

Cake constructs a SQL statement and executes as follow.

SELECT `Post`.`id` FROM `posts` AS `Post` WHERE `Post`.`id` = 100 LIMIT 1