Use CakePHP 2's updateAll() Method with Caution!

I’ve recently noticed a number of people trying to use CakePHP 2’s updateAll() method very badly.

Let’s first get one thing straight: updateAll() is not the intended way of updating a record in CakePHP, use save() for that!

In many of the cases I’ve seen recently save() would have been a more suitable choice for saving the data. As long as you pass the record’s primary key in the save data, or set the model’s ID before saving, save() will act as an UPDATE rather than an INSERT:-

$this->Model->id = $id;

If you are using updateAll() then caution needs to be taken as it requires you to manually quote strings. The official docs state that-

Literal values should be quoted manually using DboSource::value().

A lot of people seem to miss this point. What it means is that any value you pass to updateAll() that is a string needs wrapping in quotation marks. One of the easiest ways of doing this is with the datasource’s value() method:-

$db = $this->Model->getDataSource();
$value = $db->value($value, 'string');

It is never a good idea to just pass $this->request->data to updateAll() as someone could attempt to inject SQL into your query. Only ever pass values that you are in control of. In other words don’t do this:-

// Do not do this
    [ // Some conditions ]

Do this instead:-

$db = $this->Model->getDataSource();
    ['value' => $db->value($this->request->data['Model']['value'], 'string')],
    [ // Some conditions ]

As save(), saveMany() and saveAssociated automatically wrap literals in quotation marks they are usually the preferable choice when saving data. Personally I’ve had little need to use updateAll() in my time developing with Cake. When I have used it it has been to quickly update a field for many rows rather than updating whole records as I have seen people doing.

Related Content

Published on


  1. Web Development India |

    This is great.. awesome information.. great Thanks..

  2. Gareth Ellis |

    Great post. I was aware of having some issues with updateAll() and having to add quote marks around strings, but wasn’t aware that it was vulnerable to SQL injection.

    Thinking this out a bit, is there any reason why you couldn’t add an updated version of updateAll() to AppModel? I haven’t tested this but have gist-ed what it would look like:

  3. Mandeep |

    hello sir how i make a user login form in cakephp 3.2 .so please send me code on my gmail please help me…..

  4. Gyandeep Sharma |

    I need to save multiple rows with the different condition for each row.

    Like :

    Update orderdetails SET data = “’.$json1.’” WHERE order_id = 1;
    Update orderdetails SET data = “’.$json2.’” WHERE order_id = 2;
    Update orderdetails SET data = “’.$json3.’” WHERE order_id = 3;
    Update orderdetails SET data = “’.$json4.’” WHERE order_id = 4;
    Update orderdetails SET data = “’.$json5.’” WHERE order_id = 5;

    How can I achieve it…?


  5. Andy |

    Hi Gyandeep, you can use updateAll for that, but will need to call it for each of your conditions. You could probably best achieve this by setting up a loop. Just remember to escape what you are writing to the table.