Welcome Guest, Not a member yet? Register   Sign In
SQL Injection protection in CodeIgniter
#1

[eluser]Razican[/eluser]
Hello, I have an application which inserts post data into the database. The problem is that if I put sth', 'sth in the text field, it creates a database error, because it tries to insert two fields data in only one:

INSERT INTO md5_decryptor (characters,md5) VALUES ('sth', 'sth','29f14c6f1851e7766ae69fdf4ca0c1c3');

I have the global XSS filtering enabled.
#2

[eluser]WanWizard[/eluser]
Without actual code it's difficult for us to guess what is wrong.

Some ideas:
- your not using CI's active record, but code your queries by hand without proper escaping
- you use data from $_POST, not via $this->input->post

XSS filtering doesn't do anything with quotes in an input field, they are perfectly legal. They need to be escaped though if you use them in a query.
#3

[eluser]Razican[/eluser]
I'm not scaping the queries, how can I do that?
#4

[eluser]WanWizard[/eluser]
If you use CI's active record, CI does that for you. See the user manual.
#5

[eluser]Razican[/eluser]
I have used it but I get this error:

Code:
Unknown column 'Razican' in 'where clause'

UPDATE `users` SET `last_IP` = 'x.x.x.x' WHERE `username` = Razican

EDIT: My fault

EDIT: It works fine now, thanks.




Theme © iAndrew 2016 - Forum software by © MyBB