In order to make my application 'safer', I've decided that injecting $this->params['something'] directly into an SQL statement is NOT a good idea. ;-)

If you are doing a regular find() with an id = $this->params['id'], then a simple ->find($this->params['id']) would work fine.

However, if you're using find (with an include), findBySql, or _db->execute, and are using a condition of some sort, you should be doing one of the following:

Here's how to do it with a regular ->find(): $this->part = $this->Part->find('all', array('conditions' => array('id = ?',$this->params['id']), 'include' => 'vendor'));

Here's how to do it with a findBySql(): $this->part = $this->Part->findBySql(array('SELECT * FROM parts WHERE id = ?',$this->params['id']));

And here's how with a _db->execute(): $this->part = $this->Part->_db->execute('SELECT * FROM parts WHERE id = ?',$this->params['id']);

I hope that saves someone else a few hours of searching. ;-)