CakePHP does a lot of things automagically among this is sanitizing the SQL against SQL injection attacks.
In Cheesecake 1.x we had used our home grown component for sending emails. Having learned our lessons from the headaches of Pixelpost team due to email header injection attacks in their comment mailing code we had taken precautions to make our code safe from such attacks.
When we moved Cheesecake development to use CakePHP 1.2 we naturally wanted to use the Email component which comes bundled – however – a quick look at the code showed that the component could do with some automagic, to be more specific the component should make the params passed to it header injection safe on its own. Since it is a patently bad idea to mess with the framework code I filed an enhancement ticket which phpNut promptly incorporated in this changeset.
Hurrray! now app developers need not worry about email injection attacks or for that matter take any extra measures, just like the automagic which prevents SQL injection attacks