In my project I use $this->input->(get|post) to pass data to models. In models I always use active records.
Is this enough to prevent sql injections ?
In my project I use $this->input->(get|post) to pass data to models. In models I
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
In my project I use $this->input->(get|post) to pass data to models. In models I always use active records.
Is this enough to prevent sql injections ?
No, it isn’t. Edit: Yes it is…didn’t see your comment about you using active records. You either need to escape your inputs manually using PHP’s or CodeIgniter’s escaping functions or you should be using CodeIgniter’s query bindings or you can use CodeIgniter’s Active Record class. I prefer to do the query bindings as it a) makes my queries look nicer and b) ensures that all of my inputs are cleansed prior to being run in MySQL.http://ellislab.com/codeigniter/user_guide/database/queries.html
This works like this:
CodeIgniter will recognize what type of data your variable is, and wrap it accordingly. That is, if it’s a string, it will put
'and'around the escaped value in the SQL, which is what you need to ensure that users can’t inject anything malicious.