permitted_uri_chars in application/config.php not working [serious vulnerability] |
[eluser]Keat Liang[/eluser]
$this->db->limit($limit, $offset); is belong to active record. and it should be automatically escape value. i protecting the search variable because it is using custom where clause Code: $this->db->where("(user_id LIKE '%$like_str%' OR these where clause below will automatic escape since in the user guide says: http://ellislab.com/codeigniter/user-gui...ecord.html Beyond simplicity, a major benefit to using the Active Record features is that it allows you to create database independent applications, since the query syntax is generated by each database adapter. It also allows for safer queries, since the values are escaped automatically by the system Code: //auto escape yay ! by combine both uri exploit allow some illegal character and the limit function does not escape value then other ppl assume is safe.... CI still awesome ! sorry for my poor english |
Welcome Guest, Not a member yet? Register Sign In |