Welcome Guest, Not a member yet? Register   Sign In
What does query builder actually escape?
#1

I'm looking for reliable answers to the following scenario regarding whether or not the data is escaped by query builder:

Code:
$this->db->select($evilInput); // pretty sure it is
$this->db->where($evilInput2 ,"abc"); // i know abc is
$query =  $this->db->get($evilInput3);
$count = $query->num_rows();

In which of the above scenarios does `$evilInput` need to be escaped manually? The docs is a little iffy on these types of examples.

I know `set()` escapes as well as `$this->db->get('tablename', $escape_this_array);`
Reply
#2

For quick check you can print out latest query and see how it handles keys and data:
PHP Code:
echo $this->db->last_query(); 
Reply
#3

@alex.fagard,

...or you could consider Query bindings ( https://codeigniter.com/user_guide/datab...y-bindings ).
Reply




Theme © iAndrew 2016 - Forum software by © MyBB