Home/ Questions/Q 8122945
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T05:59:48+00:00

From what I understand using $this->db->insert() escapes the values: http://codeigniter.com/user_guide/database/active_record.html#insert Note: All values are

  • 0

From what I understand using $this->db->insert() escapes the values:

http://codeigniter.com/user_guide/database/active_record.html#insert

Note: All values are escaped automatically producing safer queries.

But when I look into mysql, my inputs are not escaped, is it for some reason removed some how?

Worried about sql injections here, thats why I’m asking.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    When you escape a string for SQL statements it doesn’t necessarily mean that you should see backslashes added when you look into the data later. It means that certain characters will be escaped and the SQL statement will run without any errors. Try inserting data with mysql_real_escape_string

    LINE: 557
    https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Input.php

    if ( ! is_php('5.4') && get_magic_quotes_gpc())
{
    $str = stripslashes($str);
}

    And then

    LINE: 285
    https://github.com/EllisLab/CodeIgniter/blob/develop/system/database/drivers/mysql/mysql_driver.php

    $str = is_resource($this->conn_id) ? mysql_real_escape_string($str, $this->conn_id) : addslashes($str);

    The string is passed through mysql_real_escape_string or addslashes. Hence, we can say that safety measures against SQL injections are taken into account.

    • 0