Welcome Guest, Not a member yet? Register   Sign In
escape or escape_str
#4

[eluser]TheFuzzy0ne[/eluser]
Yes, it will be a security threat and also you won't have a valid SQL query.

Let's say you wanted to insert some data into an imaginary table:

Code:
$this->db->where('user_id', '1');
$this->db->insert('imaginary_table', array('username' => 'some name'));

If the string was not escaped, the resulting query would look something like this:

Code:
INSERT INTO imaginary_table (username) VALUES(some name) WHERE user_id = '1';

This is not valid SQL, as "some name" does not appear within quotes so your SQL database won't know it's a string. Escaping it adds those quotes, so it will look more like this:

Code:
INSERT INTO imaginary_table (username) VALUES('some name') WHERE user_id = '1';

If you pass a string to $this->db->escape(), it is automatically escaped using your databases native escape function (to prevent SQL injection attacks), which is essentially what escape_str() does.

I recommend you stick with $this->db->escape(), as it does everything you should need it to. If you're using the active record class, then your data is escaped automatically.


Messages In This Thread
escape or escape_str - by El Forum - 04-25-2009, 07:19 PM
escape or escape_str - by El Forum - 04-26-2009, 04:43 AM
escape or escape_str - by El Forum - 04-26-2009, 06:28 AM
escape or escape_str - by El Forum - 04-26-2009, 06:48 AM
escape or escape_str - by El Forum - 04-26-2009, 06:57 AM



Theme © iAndrew 2016 - Forum software by © MyBB