Home/ Questions/Q 7680959
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T18:14:03+00:00

Hello I’m currently on Day 2 of Jeffrey Way’s Codeigniter tutorial. In this screencast

  • 0

Hello I’m currently on Day 2 of Jeffrey Way’s Codeigniter tutorial. In this screencast he said that in the lines below 

$sql = "SELECT title, author, contents FROM data
    WHERE id = ? AND author = ?";
    $q= $this-> db-> query($sql, array(1,'jeffrey'));

that if the user inputs anything funny where ‘jeffrey’ is supposed to be, then it’ll be auto escaped, preventing sql injection.

Is this because of codeigniter having it’s own validation in the query() parameters? Or is it in general that binding values to ? prevents sql injection in general?

(The basic understanding I have of SQL injection is that you can type in “jeffrey AND DROP TABLE contents” would kill the table pretty much, or run other bad mysql commands)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    CodeIgniter is funny about how it does parameterized queries. Just yesterday we were discussing this similarly and a lot of useful knowledge on the subject can be gathered from this post: CodeIgniter PDO driver uses query instead of prepare? Isn't this less secure?

    The CodeIgniter documentation calls it Query Bindings and has this to say about it:

    The secondary benefit of using binds is that the values are automatically escaped, producing safer queries. You don’t have to remember to manually escape data; the engine does it automatically for you.

    In essence I believe it is a wrapper for PDO::query() that filters input providing proper escaping and quoting prior to making the call.

    • 0