Welcome Guest, Not a member yet? Register   Sign In
Question About Sql injection

I think this is important.
May I ask a question, post data will automatically escape vulnerability characters ?

No, post data is not automatically escaped in such a way.

Values passed to AR are.
Field names passed to AR are NOT and this is noted in the manual.

The shares that you've linked to, blatantly ignore that last thing and intentionally make it look like the manual says that field names are escaped. It does so by taking a note about the where() function and presenting it as if it applies to every AR function. I wonder if that's the reason why the author didn't report the "issue" to CI ... cheap fame.

Theme © iAndrew 2016 - Forum software by © MyBB