• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
is it safe to use $this->db->query($sql);

#1
Hi All!

I'm a beginner and have just started with CodeIgniter 3.0



If I don't want to forget the way how to create regular SQL-Code, I use this model:

PHP Code:
public function intsertNew($firstname$secondname$age) { 

 
$sql "INSERT INTO tbl_employee (firstname, secondname, age) VALUES('$firstname', '$secondname', $age)";
 
$query $this->db->query($sql);


 return 
$query// TRUE/FALSE


In the config of database.php I use PDO to be safe:
PHP Code:
$db['default'] = array(
 
'dsn' => 'mysql:host=localhost;dbname=employee',
 
'hostname' => 'localhost',
 
'username' => 'root',
 
'password' => '',
 
'database' => 'employee',
 
'dbdriver' => 'pdo',
 
'dbprefix' => '',
 
'pconnect' => FALSE,
 
'db_debug' => TRUE,
 
'cache_on' => FALSE,
 
'cachedir' => '',
 
'char_set' => 'utf8',
 
'dbcollat' => 'utf8_general_ci',
 
'swap_pre' => '',
 
'encrypt' => FALSE,
 
'compress' => FALSE,
 
'stricton' => FALSE,
 
'failover' => array(),
 
'save_queries' => TRUE
); 
My question: is it safe (SQL Injection) when I use that query above?

Many thanks
Reply

#2
No. Use query bindings
Reply

#3
The code you have shown is only save if you were to use
Code:
$this->db->escape()
on each variable prior to calling the query() method.

And gadelat is right - use query bindings because it does it for you.
Reply

#4
(04-05-2015, 01:07 PM)smallbug Wrote: Hi All!

I'm a beginner and have just started with CodeIgniter 3.0



If I don't want to forget the way how to create regular SQL-Code, I use this model:


PHP Code:
public function intsertNew($firstname$secondname$age) { 

 
$sql "INSERT INTO tbl_employee (firstname, secondname, age) VALUES('$firstname', '$secondname', $age)";
 
$query $this->db->query($sql);


 return 
$query// TRUE/FALSE


In the config of database.php I use PDO to be safe:

PHP Code:
$db['default'] = array(
 
'dsn' => 'mysql:host=localhost;dbname=employee',
 
'hostname' => 'localhost',
 
'username' => 'root',
 
'password' => '',
 
'database' => 'employee',
 
'dbdriver' => 'pdo',
 
'dbprefix' => '',
 
'pconnect' => FALSE,
 
'db_debug' => TRUE,
 
'cache_on' => FALSE,
 
'cachedir' => '',
 
'char_set' => 'utf8',
 
'dbcollat' => 'utf8_general_ci',
 
'swap_pre' => '',
 
'encrypt' => FALSE,
 
'compress' => FALSE,
 
'stricton' => FALSE,
 
'failover' => array(),
 
'save_queries' => TRUE
); 
My question: is it safe (SQL Injection) when I use that query above?

Many thanks

To Secure your query:
PHP Code:
$talbe_name 'tbl_employee' ;
$data = array('firstname' => $var1
                   
'secondname' => $your_var,
                   
'age' => $your_var2) ;
$this->db->insert($table_name$data) ;  // this will escape your var automatically 
Reply

#5
Another solution too (automactically protected):
PHP Code:
$sql "INSERT INTO tbl_employee (firstname, secondname, age) VALUES(?, ?,?)";
 
$query $this->db->query($sql, array('firstname' => $var1'secondname' => $var2'age' => $var3)); 
Reply

#6
Thanks a lot for helping, query bindings work
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.