Welcome Guest, Not a member yet? Register   Sign In
Is this MODEL method safe?
#11

(07-19-2017, 10:21 AM)PaulD Wrote:
Quote:As far as I know where method is already escaping the strings, there is no need to do what he suggests.

Yes, you are right, in the docs you can see:

Quote:It also allows for safer queries, since the values are escaped automatically by the system.
https://www.codeigniter.com/user_guide/d...lder-class

This is true for every query builder function. However, you seem to be setting your sql in a variable to run like this:

PHP Code:
$this->db->query($sql); 

This is then NOT automatically escaped, so in that case, yes, you should escape the variables as your security advisor suggested.

Hope that helps,

Best wishes,

Paul

PS Well done for not rising to the comments about your actual coding.
Quote:No problem. We are here to learn. Can you please come up with some arguments?
Although I have to agree, it is somewhat 'clunky', but then again, if some of the better or more experienced programmers saw some of the code I churn out, they might justifiably have the same reaction. We all code what we can in the best way we know. The beauty of coding (IMHO) is there is always more to learn. Some people might say that if it works it is fine. I personally like beautiful code, but beauty is in the eye of the beholder of course. To me it is code that for the most part, makes sense when you see it, is easy to understand, almost plain, but laid out strictly and beautifully. However, I also love clever code and am a fan of code golf, the cleverness of some people in the formulation of code to do something in a particular way never ceases to amaze me.

Thanks for response. As you can see I am not using $this -> db -> query(). I am just passing that $sql string to the where method . Probably as you already know where method invokes the _wh method which at a certain point escapes the values if you set the _wh method argument $escape as TRUE. 

And yes you are right if I would use RAW queries and execute them with $this- > db-> query($query) I would definitely need to escape them before I call this method. 

Any other advices when playing around with queries except the ones mentioned in the docs?
Reply


Messages In This Thread
Is this MODEL method safe? - by george.adrian - 07-19-2017, 02:51 AM
RE: Is this MODEL method safe? - by ciadvantage - 07-19-2017, 08:02 AM
RE: Is this MODEL method safe? - by george.adrian - 07-19-2017, 08:08 AM
RE: Is this MODEL method safe? - by ivantcholakov - 07-19-2017, 08:22 AM
RE: Is this MODEL method safe? - by george.adrian - 07-19-2017, 08:27 AM
RE: Is this MODEL method safe? - by ivantcholakov - 07-19-2017, 08:56 AM
RE: Is this MODEL method safe? - by george.adrian - 07-19-2017, 09:06 AM
RE: Is this MODEL method safe? - by nippi9 - 07-19-2017, 09:01 AM
RE: Is this MODEL method safe? - by PaulD - 07-19-2017, 10:21 AM
RE: Is this MODEL method safe? - by george.adrian - 07-19-2017, 11:00 AM
RE: Is this MODEL method safe? - by ivantcholakov - 07-19-2017, 10:42 AM
RE: Is this MODEL method safe? - by Martin7483 - 07-19-2017, 11:18 AM
RE: Is this MODEL method safe? - by george.adrian - 07-19-2017, 11:44 AM
RE: Is this MODEL method safe? - by Martin7483 - 07-19-2017, 01:11 PM
RE: Is this MODEL method safe? - by george.adrian - 07-20-2017, 02:51 AM
RE: Is this MODEL method safe? - by Martin7483 - 07-20-2017, 03:18 AM
RE: Is this MODEL method safe? - by george.adrian - 07-20-2017, 04:47 AM
RE: Is this MODEL method safe? - by Martin7483 - 07-20-2017, 05:01 AM
RE: Is this MODEL method safe? - by george.adrian - 07-20-2017, 05:13 AM
RE: Is this MODEL method safe? - by ivantcholakov - 07-20-2017, 07:12 AM



Theme © iAndrew 2016 - Forum software by © MyBB