Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am new to CodeIgniter, but not new to PHP, and I was wondering what I needed to do in CodeIgniter in order to make all of my queries secure.
Usually, I just use mysql_real_escape_string() on each variable used in the query (standard PHP), but I watched a tutorial on CodeIgniter, where the author didn’t escape the variable and just did a standard insert like the following:
$this->db->query("SELECT * FROM Users WHERE Username = ?", array($username));
Which way is correct?
Your example does parameter binding
As you can read in the last paragraph of the above link, binding automatically escapes the value passed to query: