Not validated input and query builder class - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5) +--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24) +--- Thread: Not validated input and query builder class (/showthread.php?tid=88103) |
Not validated input and query builder class - ONice - 07-22-2023 I have read the CI user guide, and it stated that the query builder class can generate SQL statements quite safely, but it is not designed to prevent SQL injection no matter what data is passed to it. If I don't validate my input, I feel very unsafe to depends on the query builder class for preventing SQL injection. I want to have an input field that accepts a variety of answers from my users. And the answer can include all kinds of symbols. Can I trust Query Builder with unvalidated input fields? I am so scared that my database data will all be gone at some point. I don't have any database backups. RE: Not validated input and query builder class - kenjis - 07-28-2023 (07-22-2023, 01:48 PM)ONice Wrote: Can I trust Query Builder with unvalidated input fields? No, you can't. If you use Query Builder safely, it is safe. How do you use it safely? Read https://codeigniter4.github.io/CodeIgniter4/database/query_builder.html#sql-injection-protection (07-22-2023, 01:48 PM)ONice Wrote: I don't have any database backups. Why don't you backup your database? RE: Not validated input and query builder class - InsiteFX - 07-28-2023 My hosting provider backs up my databases every night for me and places the file in my root as a zip file so that I can download it when ever I want it. RE: Not validated input and query builder class - ONice - 07-29-2023 (07-28-2023, 02:01 AM)kenjis Wrote:(07-22-2023, 01:48 PM)ONice Wrote: Can I trust Query Builder with unvalidated input fields? I have read that as well. It says the query builder takes three arguments, and all values are escaped by default. So can I conclude that, if I don't disable escape and don't use custom strings or raw SQL, it's pretty much 99.99% safe already? (07-28-2023, 10:58 PM)InsiteFX Wrote: My hosting provider backs up my databases every night for me and places the file in my root as a zip file Great hosting provider! I am running my own hosting, still figuring out how to setup database backups. Any suggestions on where to get started? RE: Not validated input and query builder class - kenjis - 07-29-2023 A value means a column value. Unless escaping is disabled, the value is escaped by the Query Builder, so SQL injection attacks by strings in the value are not possible. What the Query Builder cannot protect is column names (or table names). If these values can be modified by users, SQL injection attacks are easy. However, usually those values are hard-coded, and users cannot modify them. Even if you use custom strings or raw SQL, they are safe when their values are hard-coded. If users can modify a part of them, it is not safe. RE: Not validated input and query builder class - kenjis - 07-30-2023 (07-29-2023, 12:59 AM)kenjis Wrote: However, usually those values are hard-coded, and users cannot modify them. I wrote above. However, this may not be correct. I imagined SELECT query like: PHP Code: $builder->where('name', $name); but if a dev writes code like the following: PHP Code: $builder->insert($_POST); the column names are not hard-coded. RE: Not validated input and query builder class - ONice - 07-30-2023 (07-30-2023, 01:39 AM)kenjis Wrote:(07-29-2023, 12:59 AM)kenjis Wrote: However, usually those values are hard-coded, and users cannot modify them. I see what you mean by column names not being hard-coded. I never thought it could be like this without being hard-coded. Thanks for dispelling the doubts that clouded my mind. |