Welcome Guest, Not a member yet? Register   Sign In
Not validated input and query builder class
#1

I have read the CI user guide, and it stated that the query builder class can generate SQL statements quite safely, but it is not designed to prevent SQL injection no matter what data is passed to it.

If I don't validate my input, I feel very unsafe to depends on the query builder class for preventing SQL injection. 

I want to have an input field that accepts a variety of answers from my users. And the answer can include all kinds of symbols. 

Can I trust Query Builder with unvalidated input fields? I am so scared that my database data will all be gone at some point. I don't have any database backups. Sad
Reply
#2

(07-22-2023, 01:48 PM)ONice Wrote: Can I trust Query Builder with unvalidated input fields?

No, you can't.

If you use Query Builder safely, it is safe. How do you use it safely?
Read https://codeigniter4.github.io/CodeIgnit...protection

(07-22-2023, 01:48 PM)ONice Wrote: I don't have any database backups. Sad

Why don't you backup your database?
Reply
#3

My hosting provider backs up my databases every night for me and places the file in my root as a zip file
so that I can download it when ever I want it.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#4

(This post was last modified: 07-29-2023, 12:48 AM by ONice.)

(07-28-2023, 02:01 AM)kenjis Wrote:
(07-22-2023, 01:48 PM)ONice Wrote: Can I trust Query Builder with unvalidated input fields?

No, you can't.

If you use Query Builder safely, it is safe. How do you use it safely?
Read https://codeigniter4.github.io/CodeIgnit...protection

(07-22-2023, 01:48 PM)ONice Wrote: I don't have any database backups. Sad

Why don't you backup your database?

I have read that as well. It says the query builder takes three arguments, and all values are escaped by default. So can I conclude that, if I don't disable escape and don't use custom strings or raw SQL, it's pretty much 99.99% safe already?

(07-28-2023, 10:58 PM)InsiteFX Wrote: My hosting provider backs up my databases every night for me and places the file in my root as a zip file
so that I can download it when ever I want it.

Great hosting provider! I am running my own hosting, still figuring out how to setup database backups. Any suggestions on where to get started?
Reply
#5

A value means a column value. Unless escaping is disabled, the value is escaped by the Query Builder, so SQL injection attacks by strings in the value are not possible.

What the Query Builder cannot protect is column names (or table names). If these values can be modified by users, SQL injection attacks are easy.
However, usually those values are hard-coded, and users cannot modify them.

Even if you use custom strings or raw SQL, they are safe when their values are hard-coded.
If users can modify a part of them, it is not safe.
Reply
#6

(07-29-2023, 12:59 AM)kenjis Wrote: However, usually those values are hard-coded, and users cannot modify them.

I wrote above. However, this may not be correct.

I imagined SELECT query like:

PHP Code:
$builder->where('name'$name); 

but if a dev writes code like the following:

PHP Code:
$builder->insert($_POST); 

the column names are not hard-coded.
Reply
#7

(07-30-2023, 01:39 AM)kenjis Wrote:
(07-29-2023, 12:59 AM)kenjis Wrote: However, usually those values are hard-coded, and users cannot modify them.

I wrote above. However, this may not be correct.

I imagined SELECT query like:

PHP Code:
$builder->where('name'$name); 

but if a dev writes code like the following:

PHP Code:
$builder->insert($_POST); 

the column names are not hard-coded.

I see what you mean by column names not being hard-coded. I never thought it could be like this without being hard-coded.

Thanks for dispelling the doubts that clouded my mind.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB