0

I was wondering if when using the database library in Codeigniter there was a way to automatically escape all the inputs to prevent injection. I know I can use mysql_real_escape_string() to do it, but I wondered it this was already setup to do this automatically, if not are there any frameworks that have this included?

Thanks!

Improve this question
4
  • 2
    Use prepared statements so you can say bye bye to mysql_real_escape_string(). Commented Oct 20, 2010 at 22:57
  • Forgive me, By prepared statements do you mean a function which cleanses all the variables and then puts them in the db? Commented Oct 20, 2010 at 23:06
  • No, he means prepared statements. Commented Oct 20, 2010 at 23:08
  • As Pete said any MVC framework should have it's own functions for interfacing with your db and take care of the repetitive stuff. Commented Oct 20, 2010 at 23:10

3 Answers 3

Reset to default
2

In order to use prepared statements, you can simply use query bindings with CodeIgniter.

$query = 'SELECT id, name FROM user WHERE name = ?';
$bind = array('Jake');
$this->db->query($query, $bind);

More info found here.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

CakePHP runs all model queries through its own methods, if you use the model methods it automatically sanitizes any data passed to the query for you. i.e

$options['conditions'] = array('Product.status'=>$status);
$this->Product->find('first',$options);
Improve this answer

Comments

1

Right, pretty much all frameworks that implement any sort of database abstraction/ORM layer will automatically mysql_real_espace your queries. If you don't want to use an entire framework, consider a generic ORM library like Propel or Doctrine. Alternatively, look into prepared statements.

Improve this answer

2 Comments

Thank you for your response, with a default installation of CodeIgniter, I added in the database library and I can insert quotes into a text input which then is sent to an Update query (using the database helper) and it results in a syntax error. So perhaps there is further configuration with CodeIgniter?
@Pete Sorry, I don't understand what you're asking. From your question I thought you were already familiar with CodeIgniter and are looking for ORM libraries like the one CI uses, which doesn't require any manual escaping...? Personally I have no experience with CI, so I can't tell you any specifics about it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.