+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: SQL Injection protection in CodeIgniter (/showthread.php?tid=32417)
SQL Injection protection in CodeIgniter - El Forum - 07-22-2010
[eluser]Razican[/eluser]
Hello, I have an application which inserts post data into the database. The problem is that if I put sth', 'sth in the text field, it creates a database error, because it tries to insert two fields data in only one:
INSERT INTO md5_decryptor (characters,md5) VALUES ('sth', 'sth','29f14c6f1851e7766ae69fdf4ca0c1c3');
I have the global XSS filtering enabled.
SQL Injection protection in CodeIgniter - El Forum - 07-22-2010
[eluser]WanWizard[/eluser]
Without actual code it's difficult for us to guess what is wrong.
Some ideas:
- your not using CI's active record, but code your queries by hand without proper escaping
- you use data from $_POST, not via $this->input->post
XSS filtering doesn't do anything with quotes in an input field, they are perfectly legal. They need to be escaped though if you use them in a query.
SQL Injection protection in CodeIgniter - El Forum - 07-22-2010
[eluser]Razican[/eluser]
I'm not scaping the queries, how can I do that?
SQL Injection protection in CodeIgniter - El Forum - 07-22-2010
[eluser]WanWizard[/eluser]
If you use CI's active record, CI does that for you. See the user manual.
SQL Injection protection in CodeIgniter - El Forum - 07-22-2010
[eluser]Razican[/eluser]
I have used it but I get this error:
Code:
Unknown column 'Razican' in 'where clause'
UPDATE `users` SET `last_IP` = 'x.x.x.x' WHERE `username` = RazicanEDIT: My fault
EDIT: It works fine now, thanks.