2

Supose that $this->input->post('location') holds an array like this:

Array
(
    [0] => 0
    [1] => 1
    [2] => 2
    [3] => 3
    [4] => 4
    [5] => 5
    [6] => 6
    [7] => 7
)

Is this query "Sql Injection" safe?

$in  = str_repeat('?,', count($this->input->post('location')) - 1) . '?';
$sql = "SELECT id 
        FROM location
        WHERE id IN ($in)";
$locations = $this->db->query($sql, $this->input->post('location'));

Thanks!

Improve this question
1
  • 1
    yes, this is pretty safe Commented May 31, 2016 at 1:34

2 Answers 2

Reset to default
3

i'm unsure if this is worth an answer, but i'm doing it anyway, yes your query is safe like alex said in the comments but what i don't understand is the unnecessary complexity with str_repeat - i'm not sure but there are alternatives in CI to write down a query like that:

$query = $this->db
            ->select("id")
            ->from("location")
            ->where_in("id",$this->input->post("location"))
            ->get();

The query above, does the job too. Am i overlooking something here or are you just unaware about the built in query builder ?

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thks a lot sintakonte! I was unaware of this nicer solution. Thks again :)
1

Ase seen on http://www.codeigniter.com/user_guide/database/queries.html Yes it is safe to do like that. But You need only one '?'.

So the code should be like this:

$sql = "SELECT id 
        FROM location
        WHERE id IN (?)";
$locations = $this->db->query($sql, $this->input->post('location'));
Improve this answer

1 Comment

Thks a lot Dimitrios Desyllas!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.