-
smallbug
Junior Member
-
Posts: 10
Threads: 5
Joined: Apr 2015
Reputation:
0
Hi All!
I'm a beginner and have just started with CodeIgniter 3.0
If I don't want to forget the way how to create regular SQL-Code, I use this model:
PHP Code: public function intsertNew($firstname, $secondname, $age) {
$sql = "INSERT INTO tbl_employee (firstname, secondname, age) VALUES('$firstname', '$secondname', $age)"; $query = $this->db->query($sql);
return $query; // TRUE/FALSE }
In the config of database.php I use PDO to be safe:
PHP Code: $db['default'] = array( 'dsn' => 'mysql:host=localhost;dbname=employee', 'hostname' => 'localhost', 'username' => 'root', 'password' => '', 'database' => 'employee', 'dbdriver' => 'pdo', 'dbprefix' => '', 'pconnect' => FALSE, 'db_debug' => TRUE, 'cache_on' => FALSE, 'cachedir' => '', 'char_set' => 'utf8', 'dbcollat' => 'utf8_general_ci', 'swap_pre' => '', 'encrypt' => FALSE, 'compress' => FALSE, 'stricton' => FALSE, 'failover' => array(), 'save_queries' => TRUE );
My question: is it safe (SQL Injection) when I use that query above?
Many thanks
-
gadelat
Member
-
Posts: 128
Threads: 3
Joined: Feb 2015
Reputation:
7
-
casa
Member
-
Posts: 59
Threads: 17
Joined: Apr 2015
Reputation:
2
(04-05-2015, 01:07 PM)smallbug Wrote: Hi All!
I'm a beginner and have just started with CodeIgniter 3.0
If I don't want to forget the way how to create regular SQL-Code, I use this model:
PHP Code: public function intsertNew($firstname, $secondname, $age) {
$sql = "INSERT INTO tbl_employee (firstname, secondname, age) VALUES('$firstname', '$secondname', $age)"; $query = $this->db->query($sql);
return $query; // TRUE/FALSE }
In the config of database.php I use PDO to be safe:
PHP Code: $db['default'] = array( 'dsn' => 'mysql:host=localhost;dbname=employee', 'hostname' => 'localhost', 'username' => 'root', 'password' => '', 'database' => 'employee', 'dbdriver' => 'pdo', 'dbprefix' => '', 'pconnect' => FALSE, 'db_debug' => TRUE, 'cache_on' => FALSE, 'cachedir' => '', 'char_set' => 'utf8', 'dbcollat' => 'utf8_general_ci', 'swap_pre' => '', 'encrypt' => FALSE, 'compress' => FALSE, 'stricton' => FALSE, 'failover' => array(), 'save_queries' => TRUE );
My question: is it safe (SQL Injection) when I use that query above?
Many thanks
To Secure your query:
PHP Code: $talbe_name = 'tbl_employee' ; $data = array('firstname' => $var1, 'secondname' => $your_var, 'age' => $your_var2) ; $this->db->insert($table_name, $data) ; // this will escape your var automatically
-
casa
Member
-
Posts: 59
Threads: 17
Joined: Apr 2015
Reputation:
2
Another solution too (automactically protected):
PHP Code: $sql = "INSERT INTO tbl_employee (firstname, secondname, age) VALUES(?, ?,?)"; $query = $this->db->query($sql, array('firstname' => $var1, 'secondname' => $var2, 'age' => $var3));
|