CodeIgniter Forums
Help to avoid sql injection attack - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: Help to avoid sql injection attack (/thread-44193.html)



Help to avoid sql injection attack - El Forum - 08-06-2011

[eluser]Unknown[/eluser]
would you please guide me to secure my query



here is the query
Quote:$id=$_GET['id'];
$sql="select title,picture,news from sport where id='$id'";
$result=mysql_query($sql,$db);



do u think its secure now


Quote:$id = mysql_real_escape_string($_GET['id']);



Help to avoid sql injection attack - El Forum - 08-07-2011

[eluser]Bart v B[/eluser]
That can be much simpler Smile
UseActive Records

Code:
function GetData()
{
    $this->db->select('select title,picture,news');
    $this->db->where('id', $_GET['id']);
    $this->db->from('sport');
    
    $query = $this->db->get();
    
    foreach ($q->result() as $row)
    {
        $aData[] = $row;
        
    }
    
    return $aData;
}



Help to avoid sql injection attack - El Forum - 08-07-2011

[eluser]CodeIgniteMe[/eluser]
+1 vote for Bart v B's answer.

only trimmed some redundant codes:
Code:
function GetData()
{
    $this->db->select('select title,picture,news');
    $this->db->where('id', $_GET['id']);
    
    $query = $this->db->get('sport');
    
    return $q->result();
}



Help to avoid sql injection attack - El Forum - 08-08-2011

[eluser]Bart v B[/eluser]
[quote author="CodeIgniteMe" date="1312784824"]+1 vote for Bart v B's answer.

only trimmed some redundant codes:
Code:
function GetData()
{
    $this->db->select('select title,picture,news');
    $this->db->where('id', $_GET['id']);
    
    $query = $this->db->get('sport');
    
    return $q->result();
}
[/quote]

Pssst... Where is $q comming from? Smile

Code:
function GetData()
{
    $this->db->select('select title,picture,news');
    $this->db->where('id', $_GET['id']);
    
    $query = $this->db->get('sport');
    
    return $query->result();
}



Help to avoid sql injection attack - El Forum - 08-08-2011

[eluser]CodeIgniteMe[/eluser]
haha sorry, I didn't see that. I only used your code as a reference :coolsmirk:


Help to avoid sql injection attack - El Forum - 08-08-2011

[eluser]CodeIgniteMe[/eluser]
[quote author="Bart v B" date="1312855066"]
Code:
function GetData()
{
    $this->db->select('select title,picture,news');
    $this->db->where('id', $_GET['id']);
    
    $query = $this->db->get('sport');
    
    return $query->result();
}
[/quote]

and one more thing to clean up.
You don't need to include the select keyword in the statement
Code:
$this->db->select('select title,picture,news');
should be
Code:
$this->db->select('title,picture,news');



Help to avoid sql injection attack - El Forum - 08-08-2011

[eluser]CodeIgniteMe[/eluser]
Or to make it all so short
Code:
function get_data()
{
    return $this->db->select('title,picture,news')->where('id', $_GET['id'])->get('sport')->result();
}

only works with PHP >= 5.0
Method Chaining


Help to avoid sql injection attack - El Forum - 08-09-2011

[eluser]P.T.[/eluser]
Code:
function get_data()
{
    return $this->db->select('title,picture,news')->where('id', $this->input->get('id'))->get('sport')->result();
}