+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Best Practices (https://forum.codeigniter.com/forumdisplay.php?fid=12)
+--- Thread: Question About Sql injection (/showthread.php?tid=941)
Question About Sql injection - piece601 - 01-30-2015
http://www.slideshare.net/mobile/pichayaa/vulnerable-activerecord
I think this is important.
May I ask a question, post data will automatically escape vulnerability characters ?
RE: Question About Sql injection - Narf - 01-31-2015
No, post data is not automatically escaped in such a way.
Values passed to AR are.
Field names passed to AR are NOT and this is noted in the manual.
The shares that you've linked to, blatantly ignore that last thing and intentionally make it look like the manual says that field names are escaped. It does so by taking a note about the where() function and presenting it as if it applies to every AR function. I wonder if that's the reason why the author didn't report the "issue" to CI ... cheap fame.