1

From what I understand using $this->db->insert() escapes the values:

http://codeigniter.com/user_guide/database/active_record.html#insert

Note: All values are escaped automatically producing safer queries.

But when I look into mysql, my inputs are not escaped, is it for some reason removed some how?

Worried about sql injections here, thats why I'm asking.

Improve this question
1
  • You should include a snippet so that we can reproduce your observation. Commented Nov 1 at 14:11

2 Answers 2

Reset to default
2

When you escape a string for SQL statements it doesn't necessarily mean that you should see backslashes added when you look into the data later. It means that certain characters will be escaped and the SQL statement will run without any errors. Try inserting data with mysql_real_escape_string

LINE: 557 https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Input.php

if ( ! is_php('5.4') && get_magic_quotes_gpc())
{
    $str = stripslashes($str);
}

And then

LINE: 285 https://github.com/EllisLab/CodeIgniter/blob/develop/system/database/drivers/mysql/mysql_driver.php

$str = is_resource($this->conn_id) ? mysql_real_escape_string($str, $this->conn_id) : addslashes($str);

The string is passed through mysql_real_escape_string or addslashes. Hence, we can say that safety measures against SQL injections are taken into account.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Yeah mysql_real_escape_string and htmlspecialchars escapes the values and inserts them into the database with (\). But I'm wondering if codeigniter does escape it but does not show it in the database.
If that's the case you must be running a PHP version older than 5.3 and enabled magic_quotes_gpc which is probably considered by CodeIgniter and passed through stripslashes before calling mysql_real_escape_string.
I got curious and looked into CodeIgniter. It turns out that my guess is right. Editing the post now.
Yeah you are right about the old version. I turned off magic_quotes_gpc and still have the same issue, interested in your edit :)
Yeah thanks, I'm just looking at that now too. Would the result be the same with no values having \\ when inserted into the database with php 5.4 using $this->db->insert()?
|
0

BY "escaped" they mean replacing this:

SELECT * FROM table1 WHERE field1 LIKE "some string with " quotes"

for this:

SELECT * FROM table1 WHERE field1 LIKE "some string with \" quotes"

If you want to make sure your strings are escaped before saving it, consider using the $this->db->escape* methods: http://codeigniter.com/user_guide/database/queries.html

Also, check:

Improve this answer

1 Comment

Yeah the only problem I'm having is that when I actually do insert values into the database I do not see the escaped version. I kind of prefer for it to be that way. Just looking for confirmation that it actually escapes so sql injection doesn't happen. I've been reading here that you should escape output, not input. And with xss_clean, some people here are against it and I want people to submit things like <javascript> or <script>.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.