• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Question About Sql injection

#1
http://www.slideshare.net/mobile/pichaya...tiverecord
I think this is important.
May I ask a question, post data will automatically escape vulnerability characters ?
Reply

#2
No, post data is not automatically escaped in such a way.

Values passed to AR are.
Field names passed to AR are NOT and this is noted in the manual.

The shares that you've linked to, blatantly ignore that last thing and intentionally make it look like the manual says that field names are escaped. It does so by taking a note about the where() function and presenting it as if it applies to every AR function. I wonder if that's the reason why the author didn't report the "issue" to CI ... cheap fame.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.