Escape string before inserting in a query |
I know that when you are using CI query builder you don't need care about it, because CI automatically escapes strings for you.
But what if i need to use my own SQL query (which is not possible to build using query builder, or it's possible but only by taking really convoluted and strage ways) for instance (it can be much more complicated, it is just an example) Code: $query = $this->db->query("SELECT * FROM `PM_board` WHERE `lesser_id` ={$owner} How do I protect myself from MySQL injection in this case? What function do I need to use on $owner to escape all dangerous symbols. But I don't want to distort string representation. I don't want to change HTML entities, only to escape string.
MySQL Documentation - Table 9.1 Special Character Escape Sequences
What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
Or Do I need to do something else to close all possible holes for a SQL injection attack?
You can use that one or query binding.
I find it easier to use the latter. PHP Code: $query = $this->db->query("SELECT * FROM `PM_board` WHERE `lesser_id` = ?
I too prefer query binding too because as the CI documentation says... The secondary benefit of using binds is that the values are automatically escaped, producing safer queries. You don’t have to remember to manually escape data; the engine does it automatically for you.
@glorsh66, I've been able to write some pretty complex queries using the CI query builder...for example PHP Code: public function Complex_query($userid) |
Welcome Guest, Not a member yet? Register Sign In |