I’ve recently noticed a number of people trying to use CakePHP 2’s
updateAll() method very badly.
Let’s first get one thing straight:
updateAll() is not the intended way of updating a record in CakePHP, use
save() for that!
In many of the cases I’ve seen recently
save() would have been a more suitable choice for saving the data. As long as you pass the record’s primary key in the save data, or set the model’s ID before saving,
save() will act as an
UPDATE rather than an
$this->Model->id = $id; $this->Model->save($this->request->data);
If you are using
updateAll() then caution needs to be taken as it requires you to manually quote strings. The official docs state that-
Literal values should be quoted manually using DboSource::value().
A lot of people seem to miss this point. What it means is that any value you pass to
updateAll() that is a string needs wrapping in quotation marks. One of the easiest ways of doing this is with the datasource’s
$db = $this->Model->getDataSource(); $value = $db->value($value, 'string');
It is never a good idea to just pass
updateAll() as someone could attempt to inject SQL into your query. Only ever pass values that you are in control of. In other words don’t do this:-
// Do not do this $this->Model->updateAll( $this->request->data['Model'], [ // Some conditions ] );
Do this instead:-
$db = $this->Model->getDataSource(); $this->Model->updateAll( ['value' => $db->value($this->request->data['Model']['value'], 'string')], [ // Some conditions ] );
saveAssociated automatically wrap literals in quotation marks they are usually the preferable choice when saving data. Personally I’ve had little need to use
updateAll() in my time developing with Cake. When I have used it it has been to quickly update a field for many rows rather than updating whole records as I have seen people doing.