CodeIgniter Forums
is it safe to use $this->db->query($sql); - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Best Practices (https://forum.codeigniter.com/forumdisplay.php?fid=12)
+--- Thread: is it safe to use $this->db->query($sql); (/showthread.php?tid=61263)

is it safe to use $this->db->query($sql); - smallbug - 04-05-2015

Hi All!

I'm a beginner and have just started with CodeIgniter 3.0



If I don't want to forget the way how to create regular SQL-Code, I use this model:

PHP Code:
public function intsertNew($firstname$secondname$age) { 

 $sql "INSERT INTO tbl_employee (firstname, secondname, age) VALUES('$firstname', '$secondname', $age)";
 $query $this->db->query($sql);


 return $query// TRUE/FALSE


In the config of database.php I use PDO to be safe:
PHP Code:
$db['default'] = array(
 'dsn' => 'mysql:host=localhost;dbname=employee',
 'hostname' => 'localhost',
 'username' => 'root',
 'password' => '',
 'database' => 'employee',
 'dbdriver' => 'pdo',
 'dbprefix' => '',
 'pconnect' => FALSE,
 'db_debug' => TRUE,
 'cache_on' => FALSE,
 'cachedir' => '',
 'char_set' => 'utf8',
 'dbcollat' => 'utf8_general_ci',
 'swap_pre' => '',
 'encrypt' => FALSE,
 'compress' => FALSE,
 'stricton' => FALSE,
 'failover' => array(),
 'save_queries' => TRUE
); 
My question: is it safe (SQL Injection) when I use that query above?

Many thanks

RE: is it safe to use $this->db->query($sql); - gadelat - 04-05-2015

No. Use query bindings

RE: is it safe to use $this->db->query($sql); - kilishan - 04-05-2015

The code you have shown is only save if you were to use
Code:
$this->db->escape()
on each variable prior to calling the query() method.

And gadelat is right - use query bindings because it does it for you.

RE: is it safe to use $this->db->query($sql); - casa - 04-05-2015

(04-05-2015, 01:07 PM)smallbug Wrote: Hi All!

I'm a beginner and have just started with CodeIgniter 3.0



If I don't want to forget the way how to create regular SQL-Code, I use this model:


PHP Code:
public function intsertNew($firstname$secondname$age) { 

 $sql "INSERT INTO tbl_employee (firstname, secondname, age) VALUES('$firstname', '$secondname', $age)";
 $query $this->db->query($sql);


 return $query// TRUE/FALSE


In the config of database.php I use PDO to be safe:

PHP Code:
$db['default'] = array(
 'dsn' => 'mysql:host=localhost;dbname=employee',
 'hostname' => 'localhost',
 'username' => 'root',
 'password' => '',
 'database' => 'employee',
 'dbdriver' => 'pdo',
 'dbprefix' => '',
 'pconnect' => FALSE,
 'db_debug' => TRUE,
 'cache_on' => FALSE,
 'cachedir' => '',
 'char_set' => 'utf8',
 'dbcollat' => 'utf8_general_ci',
 'swap_pre' => '',
 'encrypt' => FALSE,
 'compress' => FALSE,
 'stricton' => FALSE,
 'failover' => array(),
 'save_queries' => TRUE
); 
My question: is it safe (SQL Injection) when I use that query above?

Many thanks

To Secure your query:
PHP Code:
$talbe_name 'tbl_employee' ;
$data = array('firstname' => $var1
                   'secondname' => $your_var,
                   'age' => $your_var2) ;
$this->db->insert($table_name$data) ;  // this will escape your var automatically 


RE: is it safe to use $this->db->query($sql); - casa - 04-05-2015

Another solution too (automactically protected):
PHP Code:
$sql "INSERT INTO tbl_employee (firstname, secondname, age) VALUES(?, ?,?)";
 $query $this->db->query($sql, array('firstname' => $var1'secondname' => $var2'age' => $var3)); 


RE: is it safe to use $this->db->query($sql); - smallbug - 04-05-2015

Thanks a lot for helping, query bindings work