CodeIgniter Forums
SQL Injections - Printable Version

+- CodeIgniter Forums (
+-- Forum: Using CodeIgniter (
+--- Forum: Best Practices (
+--- Thread: SQL Injections (/showthread.php?tid=86260)

SQL Injections - miscapu - 01-24-2023

I would like to know if the Query Builder Class is safe in terms of SQL Injections.

How should they be used correctly to avoid these attacks?
I have this situation:
$product    =  $this->productModel->asObject()->find( $id );

And this other:
$sql        =  'SELECT * FROM products WHERE id = ?';
$products   =  $this->db->query( $sql, [ 1 ] )->getResultObject();

Which would be the safest?

RE: SQL Injections - kenjis - 01-24-2023

find() is not a Query Builder method. It is a Model method.

If you want to make your app safe, validate all user input before passing to DB/QB/Model objects.