CodeIgniter Forums
SQL Injection protection in CodeIgniter - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: SQL Injection protection in CodeIgniter (/thread-32417.html)



SQL Injection protection in CodeIgniter - El Forum - 07-22-2010

[eluser]Razican[/eluser]
Hello, I have an application which inserts post data into the database. The problem is that if I put sth', 'sth in the text field, it creates a database error, because it tries to insert two fields data in only one:

INSERT INTO md5_decryptor (characters,md5) VALUES ('sth', 'sth','29f14c6f1851e7766ae69fdf4ca0c1c3');

I have the global XSS filtering enabled.


SQL Injection protection in CodeIgniter - El Forum - 07-22-2010

[eluser]WanWizard[/eluser]
Without actual code it's difficult for us to guess what is wrong.

Some ideas:
- your not using CI's active record, but code your queries by hand without proper escaping
- you use data from $_POST, not via $this->input->post

XSS filtering doesn't do anything with quotes in an input field, they are perfectly legal. They need to be escaped though if you use them in a query.


SQL Injection protection in CodeIgniter - El Forum - 07-22-2010

[eluser]Razican[/eluser]
I'm not scaping the queries, how can I do that?


SQL Injection protection in CodeIgniter - El Forum - 07-22-2010

[eluser]WanWizard[/eluser]
If you use CI's active record, CI does that for you. See the user manual.


SQL Injection protection in CodeIgniter - El Forum - 07-22-2010

[eluser]Razican[/eluser]
I have used it but I get this error:

Code:
Unknown column 'Razican' in 'where clause'

UPDATE `users` SET `last_IP` = 'x.x.x.x' WHERE `username` = Razican

EDIT: My fault

EDIT: It works fine now, thanks.