Escaping in CodeIgniter.. - Printable Version

Escaping in CodeIgniter.. - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Escaping in CodeIgniter.. (/showthread.php?tid=4788)

Escaping in CodeIgniter.. - El Forum - 12-16-2007

[eluser]Lovecannon[/eluser]
I had a question. Does CodeIgniter automatically run a function like mysql_real_escape_string either when it runs, or with the XSS clean function?

Escaping in CodeIgniter.. - El Forum - 12-16-2007

[eluser]ejangi[/eluser]
I don't think there's one that runs on all queries by default per se, but there are a number of methods in the database class which help. For instance, there's:

Code:
$this->db->escape();

and query bindings (which automatically get escaped):

Code:
$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?"; 

$this->db->query($sql, array(3, 'live', 'Rick'));

But, definitely if you use the active record class everything is escaped for you:

Code:
$this->db->select('*');

$this->db->from('blogs');

$this->db->join('comments', 'comments.id = blogs.id');

$query = $this->db->get();

Escaping in CodeIgniter.. - El Forum - 12-16-2007

[eluser]Lovecannon[/eluser]
I know that but I was just curious as to whether or not there was an auto one or if it was done in the xss filter

Escaping in CodeIgniter.. - El Forum - 12-17-2007

[eluser]Michael Wales[/eluser]
If you use the Active Record class - your queries will be escaped properly (for MySQL).