0

I've finished one application, but while developing haven't checked about sql injections and now at the end, i need to fix this little issue.

Here's my code, how could i on easiest way fix this to prevent sql injection (is there any function just to format my username, password parameters, not to change my code).

public function getArtistByUsernameByPassword($username, $password) {
    $query = $this->db->query("SELECT * FROM artists WHERE username = '$username' AND  password = ' $password'");
    if ($query->num_rows() > 0) {
        return $query->row_array();
    }
    return null;
}

Thanks in advance!

Improve this question

2 Answers 2

Reset to default
1

Use Codeigniter's query builder class.

So your code would look like this.

$query = $this->db->get_where('artists', array('username' => $username, 'password' => $password));
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

A more "sugary" syntax would be $this->db->from->('artists')->where('username',$username)->where('password',$password)->get();
You may also want to add a limit to the query if this query is for authentication.
0

Use db->escape() and db->escapestr() functions to avoid sql injection...

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.