 Codeigniter 4 - How can we safe without PDO? |
Hello,
Normally, I did not use MVC structure, I did not use any framework, I would like to design the project I will implement from scratch and be fully manageable, but there are some projects and it was designed using framework structures such as Codeigniter, so I decided to learn Codeigniter. As everyone knows, SQL Injection attacks are mitigated thanks to some measures and methods that PDO takes. For this reason, coding is done directly through the PDO driver instead of MySQLi or MySQL, and in addition, user inputs are taken by verifying as much as possible, etc. But download Codeigniter 4 and install theme integrations etc. After completing it, when I started working with SQL connections, I saw that the PDO driver was not supported, this scared me a bit as I had no knowledge. Error for pdo connection: error Class "CodeIgniter\Database\pdo\Connection" not found For example, the database connection and transaction example I used in a project I created without any framework: https://prnt.sc/dDjfHiFcA419 When I'm on any page in my own projects, I can connect to the database class you see in the picture and generate easy queries like this: // Data removed from database. $db->specialQuery("DELETE FROM fruit WHERE id = ? ", array($data)); // Returned array. $db->dataGet("SELECT * FROM fruit WHERE id = ? ", array($data)); // Returned integer data count. (int)$db->dataCountQuery("SELECT COUNT(*) FROM fruit WHERE x = ? ", array($data)); The main question I want to ask you is, are the queries in the Query Builder or CodeIgniter\Database\BaseConnection->query() class used by Codeigniter 4 safe, do they perform the same function as PDO, I've looked through the documentation, and I can do things like: // database connection $db = db_connect(); // Returned array. $db->query("SELECT * FROM tbletc WHERE active = ? AND showheader=? ORDER BY sequence ASC", array($data1, $data2))->getResultArray(); // Returned integer data count. (int)$db->query("SELECT * FROM tblsitemenu WHERE parent = ? ORDER BY sequence ASC", array($datax))->getNumRows(); When we use it this way, does it perform like PDO, so we don't need to use PDO? Or exactly which way can I minimize SQL Injection possibilities? Because this can create a huge problem in the future. If we can clarify this issue, I will use Codeigniter 4 in my own project. Thanks for your answers in advance.
Once you get into CI4 you will see whats in place.
RE: csrf Have a look at : https://codeigniter.com/user_guide/libra...urity.html and https://codeigniter4.github.io/userguide...y-bindings Then here is an abstract from one of my models : Code: protected $allowedFields = ['title','article','image','slug','date','context'];So you define allowed fields
(01-22-2023, 10:33 AM)captain-sensible Wrote: Once you get into CI4 you will see whats in place. Thanks for your answer and informations. Actually i try ask, when we use https://codeigniter4.github.io/userguide...y-bindings this query bindings; this can protect us like PDO ?
The Query Bindings can protect us like PDO prepared statement.
But it is implemented in the CodeIgniter DB library, and it does not use prepared statement, and not use PDO. CodeIgniter4's DB library does not have PDO drivers yet. Escaping values is done by the CodeIgniter DB library (and e.g. MySQLi). So if there is no bug in the library, we are safe. If you really like PDO and your library, you can use it with CodeIgniter. But CodeIgniter provides the following ways to run SQL statements: 1. $db->query() 2. Query Builder 3. CodeIgniter Model Query Builder uses $db->query() internally, and CodeIgniter Model uses Query Builder internally. |
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
