Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter Best Practices is it safe to use $this->db->query($sql);
is it safe to use $this->db->query($sql);
  • Offline smallbug
    Junior Member
  • **
  • Posts: 10
    Threads: 5
    Joined: Apr 2015
    Reputation: 0
#1
04-05-2015, 01:07 PM

Hi All!

I'm a beginner and have just started with CodeIgniter 3.0



If I don't want to forget the way how to create regular SQL-Code, I use this model:

PHP Code:
public function intsertNew($firstname$secondname$age) { 

 $sql "INSERT INTO tbl_employee (firstname, secondname, age) VALUES('$firstname', '$secondname', $age)";
 $query $this->db->query($sql);


 return $query// TRUE/FALSE


In the config of database.php I use PDO to be safe:
PHP Code:
$db['default'] = array(
 'dsn' => 'mysql:host=localhost;dbname=employee',
 'hostname' => 'localhost',
 'username' => 'root',
 'password' => '',
 'database' => 'employee',
 'dbdriver' => 'pdo',
 'dbprefix' => '',
 'pconnect' => FALSE,
 'db_debug' => TRUE,
 'cache_on' => FALSE,
 'cachedir' => '',
 'char_set' => 'utf8',
 'dbcollat' => 'utf8_general_ci',
 'swap_pre' => '',
 'encrypt' => FALSE,
 'compress' => FALSE,
 'stricton' => FALSE,
 'failover' => array(),
 'save_queries' => TRUE
); 
My question: is it safe (SQL Injection) when I use that query above?

Many thanks
Reply
  • Offline gadelat
    Member
  • ***
  • Posts: 128
    Threads: 3
    Joined: Feb 2015
    Reputation: 7
#2
04-05-2015, 03:39 PM

No. Use query bindings
Reply
  • Offline kilishan
    CI Project Lead
  • *******
  • Posts: 1,461
    Threads: 90
    Joined: Oct 2014
    Reputation: 120
#3
04-05-2015, 08:00 PM

The code you have shown is only save if you were to use
Code:
$this->db->escape()
on each variable prior to calling the query() method.

And gadelat is right - use query bindings because it does it for you.
Support Development •  CodeIgniter 4 Foundations • Practical CodeIgniter 3  • CodeIgniter Tutorials
Reply
  • Offline casa
    Member
  • ***
  • Posts: 59
    Threads: 17
    Joined: Apr 2015
    Reputation: 2
#4
04-05-2015, 09:40 PM

(04-05-2015, 01:07 PM)smallbug Wrote: Hi All!

I'm a beginner and have just started with CodeIgniter 3.0



If I don't want to forget the way how to create regular SQL-Code, I use this model:


PHP Code:
public function intsertNew($firstname$secondname$age) { 

 $sql "INSERT INTO tbl_employee (firstname, secondname, age) VALUES('$firstname', '$secondname', $age)";
 $query $this->db->query($sql);


 return $query// TRUE/FALSE


In the config of database.php I use PDO to be safe:

PHP Code:
$db['default'] = array(
 'dsn' => 'mysql:host=localhost;dbname=employee',
 'hostname' => 'localhost',
 'username' => 'root',
 'password' => '',
 'database' => 'employee',
 'dbdriver' => 'pdo',
 'dbprefix' => '',
 'pconnect' => FALSE,
 'db_debug' => TRUE,
 'cache_on' => FALSE,
 'cachedir' => '',
 'char_set' => 'utf8',
 'dbcollat' => 'utf8_general_ci',
 'swap_pre' => '',
 'encrypt' => FALSE,
 'compress' => FALSE,
 'stricton' => FALSE,
 'failover' => array(),
 'save_queries' => TRUE
); 
My question: is it safe (SQL Injection) when I use that query above?

Many thanks

To Secure your query:
PHP Code:
$talbe_name 'tbl_employee' ;
$data = array('firstname' => $var1
                   'secondname' => $your_var,
                   'age' => $your_var2) ;
$this->db->insert($table_name$data) ;  // this will escape your var automatically 
Reply
  • Offline casa
    Member
  • ***
  • Posts: 59
    Threads: 17
    Joined: Apr 2015
    Reputation: 2
#5
04-05-2015, 10:02 PM

Another solution too (automactically protected):
PHP Code:
$sql "INSERT INTO tbl_employee (firstname, secondname, age) VALUES(?, ?,?)";
 $query $this->db->query($sql, array('firstname' => $var1'secondname' => $var2'age' => $var3)); 
Reply
  • Offline smallbug
    Junior Member
  • **
  • Posts: 10
    Threads: 5
    Joined: Apr 2015
    Reputation: 0
#6
04-05-2015, 11:05 PM

Thanks a lot for helping, query bindings work
Reply




Theme © iAndrew 2016 - Forum software by © MyBB