Create account



CodeIgniter.com Twitter      


  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Thread Modes
is it safe to use $this->db->query($sql);

Offline smallbug
Junior Member
**
Posts: 10
Threads: 5
Joined: Apr 2015
Reputation: 0
#1
04-05-2015, 01:07 PM
Hi All!

I'm a beginner and have just started with CodeIgniter 3.0



If I don't want to forget the way how to create regular SQL-Code, I use this model:

PHP Code:
public function intsertNew($firstname$secondname$age) { 

 $sql "INSERT INTO tbl_employee (firstname, secondname, age) VALUES('$firstname', '$secondname', $age)";
 $query $this->db->query($sql);


 return $query// TRUE/FALSE


In the config of database.php I use PDO to be safe:
PHP Code:
$db['default'] = array(
 'dsn' => 'mysql:host=localhost;dbname=employee',
 'hostname' => 'localhost',
 'username' => 'root',
 'password' => '',
 'database' => 'employee',
 'dbdriver' => 'pdo',
 'dbprefix' => '',
 'pconnect' => FALSE,
 'db_debug' => TRUE,
 'cache_on' => FALSE,
 'cachedir' => '',
 'char_set' => 'utf8',
 'dbcollat' => 'utf8_general_ci',
 'swap_pre' => '',
 'encrypt' => FALSE,
 'compress' => FALSE,
 'stricton' => FALSE,
 'failover' => array(),
 'save_queries' => TRUE
); 
My question: is it safe (SQL Injection) when I use that query above?

Many thanks
Find
Reply

Offline gadelat
Member
***
Posts: 128
Threads: 3
Joined: Feb 2015
Reputation: 7
#2
04-05-2015, 03:39 PM
No. Use query bindings
Find
Reply

Offline kilishan
CI Project Lead
*******
Posts: 1,284
Threads: 65
Joined: Oct 2014
Reputation: 82
#3
04-05-2015, 08:00 PM
The code you have shown is only save if you were to use
Code:
$this->db->escape()
on each variable prior to calling the query() method.

And gadelat is right - use query bindings because it does it for you.
Support Development •  CodeIgniter 4 Foundations • Practical CodeIgniter 3  • Myth:Auth
Website Find
Reply

Offline casa
Member
***
Posts: 59
Threads: 17
Joined: Apr 2015
Reputation: 2
#4
04-05-2015, 09:40 PM
(04-05-2015, 01:07 PM)smallbug Wrote: Hi All!

I'm a beginner and have just started with CodeIgniter 3.0



If I don't want to forget the way how to create regular SQL-Code, I use this model:


PHP Code:
public function intsertNew($firstname$secondname$age) { 

 $sql "INSERT INTO tbl_employee (firstname, secondname, age) VALUES('$firstname', '$secondname', $age)";
 $query $this->db->query($sql);


 return $query// TRUE/FALSE


In the config of database.php I use PDO to be safe:

PHP Code:
$db['default'] = array(
 'dsn' => 'mysql:host=localhost;dbname=employee',
 'hostname' => 'localhost',
 'username' => 'root',
 'password' => '',
 'database' => 'employee',
 'dbdriver' => 'pdo',
 'dbprefix' => '',
 'pconnect' => FALSE,
 'db_debug' => TRUE,
 'cache_on' => FALSE,
 'cachedir' => '',
 'char_set' => 'utf8',
 'dbcollat' => 'utf8_general_ci',
 'swap_pre' => '',
 'encrypt' => FALSE,
 'compress' => FALSE,
 'stricton' => FALSE,
 'failover' => array(),
 'save_queries' => TRUE
); 
My question: is it safe (SQL Injection) when I use that query above?

Many thanks

To Secure your query:
PHP Code:
$talbe_name 'tbl_employee' ;
$data = array('firstname' => $var1
                   'secondname' => $your_var,
                   'age' => $your_var2) ;
$this->db->insert($table_name$data) ;  // this will escape your var automatically 
Find
Reply

Offline casa
Member
***
Posts: 59
Threads: 17
Joined: Apr 2015
Reputation: 2
#5
04-05-2015, 10:02 PM
Another solution too (automactically protected):
PHP Code:
$sql "INSERT INTO tbl_employee (firstname, secondname, age) VALUES(?, ?,?)";
 $query $this->db->query($sql, array('firstname' => $var1'secondname' => $var2'age' => $var3)); 
Find
Reply

Offline smallbug
Junior Member
**
Posts: 10
Threads: 5
Joined: Apr 2015
Reputation: 0
#6
04-05-2015, 11:05 PM
Thanks a lot for helping, query bindings work
Find
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.