+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Model-View-Controller (https://forum.codeigniter.com/forumdisplay.php?fid=10)
+--- Thread: SQL Injection (/showthread.php?tid=74921)
SQL Injection - dmorgan20 - 11-25-2019
Afternoon
I was struggling to get some data to insert in to MySQL but i have finally got that working - However, someone said I am wide open to an SQL injection attack and theyve not said anything else about it. This of course got me worried
In my views I have a postcode.php and a submit.php (the submit is where the SQL query is saved).
PHP Code:
// SAVE POSTCODE & DELIVERY COST
if(isset($_POST['submitPostCode'])){
// Get editor content
$postCodeString = $_POST['postCodetext'];
$costString = $_POST['costtext'];
// Check whether the editor content is empty
if(!empty($postCodeString)){
// Insert editor content in the database
$insert1 = $db->query("INSERT INTO postCode (postCode, Cost) VALUES ('".$postCodeString."', '".$costString."')");
// If database insertion is successful
if($insert1){
$statusMsg1 = "Succeddfully Saved.";
}else{
$statusMsg1 = "A problem occurred, please try again.";
}
}else{
$statusMsg1 = 'You cannot save a blank postcode or delivery charge';
}
}
I kind of understand SQL injection. My knowledge is that a malicious using may be able to essentially change the query to suite their need such as drop a table etc.
But how is mine not secure, and why is it wide open to an attack? Also, what can I immediately do to secure it
RE: SQL Injection - jreklund - 11-25-2019
On what it is:
https://www.php.net/manual/en/security.database.sql-injection.php
And how you can bind/escape in Codeigniter:
https://codeigniter.com/user_guide/database/queries.html
RE: SQL Injection - HeyDarling - 11-25-2019
Use the query builder, is super friendly. Check the link posted above
Also, enable global_xss_filtering on your config.php file. Note that this function is deprecated though so try not to depend on it.
PHP Code:
$config['global_xss_filtering'] = TRUE;
In addition, check out the Security class https://codeigniter.com/user_guide/libraries/security.html.
RE: SQL Injection - jreklund - 11-26-2019
Don't enable global_xss_filtering, it's deprecated for a reason. You should filter/validate on input and escape on output.