Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter Best Practices Question About Sql injection
Question About Sql injection
  • Offline piece601
    Newbie
  • *
  • Posts: 7
    Threads: 3
    Joined: Dec 2014
    Reputation: 0
#1
01-30-2015, 06:29 PM

http://www.slideshare.net/mobile/pichaya...tiverecord
I think this is important.
May I ask a question, post data will automatically escape vulnerability characters ?
Reply
  • Offline Narf
    Me
  • *******
  • Posts: 1,589
    Threads: 1
    Joined: Oct 2014
    Reputation: 121
#2
01-31-2015, 09:19 AM

No, post data is not automatically escaped in such a way.

Values passed to AR are.
Field names passed to AR are NOT and this is noted in the manual.

The shares that you've linked to, blatantly ignore that last thing and intentionally make it look like the manual says that field names are escaped. It does so by taking a note about the where() function and presenting it as if it applies to every AR function. I wonder if that's the reason why the author didn't report the "issue" to CI ... cheap fame.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB