Login

03-17-2009, 07:09 PM

[eluser]Fero[/eluser]
Hi,

I've found some thread about CSV importing using INFILE however, isn't this method a threat to security?

Does $this->db->query('something') checks each entry of INFILE document for SQL injection possibility?

03-18-2009, 05:03 AM

[eluser]MikeHibbert[/eluser]
[quote author="Fero" date="1237356558"]Hi,

I've found some thread about CSV importing using INFILE however, isn't this method a threat to security?

Does $this->db->query('something') checks each entry of INFILE document for SQL injection possibility?[/quote]

As far as I remember its only when you the proper CI insert method that the checking and sanitation is carried out.

the plain $this->db->query(); with only carry out a un checked sql statement.

Mike

03-18-2009, 08:04 AM

[eluser]Fero[/eluser]
so it is a threat and should not be used as function for public users..

03-19-2009, 03:17 AM

[eluser]ray73864[/eluser]
i suggested to someone a long time ago to use INFILE for doing the import, depending on how many records you have to import, and how complex your import process will end up being, having the DB server do the import instead of PHP will be *much* faster.

each line from the CSV file that i was reading for instance (with over 20,000 records) had to be checked to see if it existed, and if it did, update it, otherwise insert it, lets not even go near the deleting side, and using PHP this was taking several hours, using INFILE however the import took less than 3 secs to do.

my CSV import however was only accessible on the admin side of the website, so it was never a security risk.