+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: How to prevent SQL injection? (/showthread.php?tid=56582)
How to prevent SQL injection? - El Forum - 01-04-2013
[eluser]Volkof[/eluser]
Hi all,
Is there a way to prevent SQL injection?
In my view, I have a textarea to enter comments, but if the user enter something like
Code:
You know what, I'm sure this review is fineYou can see that there is an Apostrophe
Then this is gonna cause syntax error in my model;
Code:
$sql = "INSERT INTO Comment (comment, userID, reviewID)
VALUES ('".$comment."', '".$userID."', '".$reviewID."')";
$query = $this->db->query($sql);Thanks in advance
How to prevent SQL injection? - El Forum - 01-04-2013
[eluser]PhilTem[/eluser]
Use CI's AR-class, use the db->escape method, or perform query bindings.
Code examples can be found in the user's guide.
How to prevent SQL injection? - El Forum - 01-04-2013
[eluser]Unknown[/eluser]
[quote author="Volkof" date="1357301854"]Hi all,
Is there a way to prevent SQL injection?
In my view, I have a textarea to enter comments, but if the user enter something like
Code:
You know what, I'm sure this review is fineYou can see that there is an Apostrophe
Then this is gonna cause syntax error in my model;
Code:
$sql = "INSERT INTO Comment (comment, userID, reviewID)
VALUES ('".$comment."', '".$userID."', '".$reviewID."')";
$query = $this->db->query($sql);Thanks in advance[/quote]
Simply do,
Code:
$this->db->query("INSERT INTO Comment (comment, userID, reviewID)
VALUES (?, ?, ?)", array($comment, $userID, $reviewID));