About the model class - Printable Version

About the model class - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Libraries & Helpers (https://forum.codeigniter.com/forumdisplay.php?fid=22)
+--- Thread: About the model class (/showthread.php?tid=44279)

About the model class - El Forum - 08-10-2011

[eluser]ted wong[/eluser]
First, I would like to know, If I use this method to insert a record in my db, like this:

Code:
$new_user = array(

            'username' => $this->input->post('username')

                );

        $insert = $this->db->insert('users', $new_user);

Then, I would like to know will the insert method do the escape special character or not? do I need to do it manually?
If yes, is there any easy way to do escaping the data to avoid SQL injection.
Further more, if it is not escaped, I will have some where to do sanitize data, where should I do? and where should I put? put this logic in the model or controller is more suitable? Also, any way to do sanitize in CodeIgniter? Thank you. (I did the form_validation, but some logic check , like the user cannot have same username, where should I put the logic? Thank you. )

About the model class - El Forum - 08-10-2011

[eluser]danmontgomery[/eluser]
If you're using active record, values are escaped... This is covered in the user guide.

http://ellislab.com/codeigniter/user-guide/database/active_record.html#insert

Quote:Note: All values are escaped automatically producing safer queries.

http://ellislab.com/codeigniter/user-guide/libraries/security.html
http://ellislab.com/codeigniter/user-guide/libraries/input.html

Checking unique values should still be done in form_validation.

http://ellislab.com/codeigniter/user-guide/libraries/form_validation.html#callbacks