+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Best Practices (https://forum.codeigniter.com/forumdisplay.php?fid=12)
+--- Thread: SQL Injections (/showthread.php?tid=86260)
SQL Injections - miscapu - 01-24-2023
I would like to know if the Query Builder Class is safe in terms of SQL Injections.
How should they be used correctly to avoid these attacks?
I have this situation:
Code:
$product = $this->productModel->asObject()->find( $id );And this other:
Code:
$sql = 'SELECT * FROM products WHERE id = ?';
$products = $this->db->query( $sql, [ 1 ] )->getResultObject();Which would be the safest?
RE: SQL Injections - kenjis - 01-24-2023
find() is not a Query Builder method. It is a Model method.
If you want to make your app safe, validate all user input before passing to DB/QB/Model objects.