2

since my last question in SO, I've been reading a bit about how to prevent sql injection and many people mentioned active records class. but when I google it, it only exists in codeigniter 2.

so my questions are:

  1. is Query Builder Class in codeigniter 3 the upgraded version of Active Record Class or do they serve different purposes?

  2. is it enough (in general) to use Query Builder Class methods like $this->where('field', $foo); instead of $this->where("field = '$foo'"); to prevent sql injection?

P.S. I'm using codeigniter 3 and mysql

Improve this question
2
  • 1
    Take a look at: stackoverflow.com/questions/1615792/… Commented Nov 25, 2016 at 15:59
  • yes I've read that question before asking. that question does not answer either of my questions here. and there's too much different opinions there to conclude anything. Commented Nov 28, 2016 at 11:02

1 Answer 1

Reset to default
1

1- ActiveRecord was in Codeigniter 2, but in Codeigniter 3 you have QueryBuilder instead. The both classes do same work for you, maybe QueryBuilder is improved version of ActiveRecord. In other frameworks like Yii2, ActiveRecord is an ORM not only query string builder but in CI was simple query builder.

2- Codeigniter will escape all passed parameters automatically but I suggest you validate your inputs before running queries. For example, the value of a numeric id field should be a number, not a string so the rule of ID input should be INTEGER. You can see Validation in Codeigniter 3 at official documentation: https://www.codeigniter.com/userguide3/libraries/form_validation.html

All works that you should do is pass your field value as a function parameter, not as a string (field and value together). If you want to run your query without QueryBuilder, you must escape your parameters manually. You can get more information about it in Codeigniter documentation:

https://www.codeigniter.com/userguide3/database/queries.html#escaping-queries

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.