CodeIgniter Forums

Full Version: Question About Sql injection
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
http://www.slideshare.net/mobile/pichaya...tiverecord
I think this is important.
May I ask a question, post data will automatically escape vulnerability characters ?
No, post data is not automatically escaped in such a way.

Values passed to AR are.
Field names passed to AR are NOT and this is noted in the manual.

The shares that you've linked to, blatantly ignore that last thing and intentionally make it look like the manual says that field names are escaped. It does so by taking a note about the where() function and presenting it as if it applies to every AR function. I wonder if that's the reason why the author didn't report the "issue" to CI ... cheap fame.