Does code igniter stop SQL Injection?

[eluser]Thorpe Obazee[/eluser]
[quote author="Bogdan Tanase" date="1245153764"]OT:

Hmm... what about the bugs in the database class where escaping goes wild?

example:

Code:

$this->db->select('products.*, users.user_name');

/* this will produce:

SELECT `products`.`*`, users.user_name

-> syntax error

*/

In this case the solution was to use a third FALSE parameter to cancel escaping, which I believe leaves the query vulnerable to SQL injection. Am I right?

Have they been corrected? I haven't checked the SVN in a while...

Also, in some cases, due to limitations of Active Query you'll have to write standard queries:

Code:

$this->db->query("SELECT * FROM products WHERE prod_name='$prod_name'");

I believe this is not escaped, right?[/quote]

I don't think that causes any error. It will produce the correct statement. I just tested it.

[eluser]Bogdan Tanase[/eluser]
Looks like you're right

I did a test case now on CI 1.7.1 and it works fine. They must have fixed it. Sorry for bringing it up.

[eluser]sl3dg3hamm3r[/eluser]
[quote author="Bogdan Tanase" date="1245153764"]

Code:

$this->db->query("SELECT * FROM products WHERE prod_name='$prod_name'");

I believe this is not escaped, right?[/quote]

Right, in that case you would need to escape manually.