Login

09-11-2013, 05:13 AM

[eluser]jonez[/eluser]
[quote author="wildgoatcheese" date="1378598800"]I'm writing straight SQL requires with $query = $this->db->query(' SELECT ...'). It seems I don't need to escape variables since apostrophes can't pass through URLs. Not sure if there is a way for a hacker to circumvent it. [/quote]
Using straight SQL without escaping input is a really bad idea. Typically when someone tries an SQL injection they will submit special strings through forms, such as a login or search form. Apostrophes can pass through URL's, when someone submits a form with name="D'ni" it is encoded as part of the URL, then decoded by CI so putting a ' in the URL bar doesn't simulate an injection attempt.

If you don't sanitize your input, eventually a bot will find you. When it does, your only option will be to take down your site and manually fix every single DB query that is not escaped.

CI makes parametrized queries easy- even if you don't want to use Active Record or an ORM.

Here's an example:

Code:
$sql = "

 SELECT 

  c.*, 

  s.name AS state_name, 

  cs.name AS country_name 

 FROM 

  clients c 

  LEFT JOIN states s ON c.state_id = s.id 

  LEFT JOIN countries cs ON c.country_id = cs.id 

 WHERE 

  c.id = ?

";

$query = $this->db->query( $sql, array( $client_id ) )->row_array( );

return $query;