[eluser]nebulom[/eluser]
I'm updating code and pass some values with single quote. Code in the model is like
Code:
function updateDiscussion($id) {
$data = array(
'COMMENTS' => $this->input->post('comments'),
'LAST_UPDATE_BY' => $this->session->userdata('username')
);
$this->db->set('LAST_UPDATE_DATE', 'sysdate', false);
$this->db->update('EES_BPC_DISC', $data, array('ID' => $id));
}
but doesn't escape automatically. Do I have to manually 'COMMENTS' => $this->db->escape($this->input->post('comments'))?
But when I do that, it still can't escape correctly. It returns like
Quote:UPDATE "EES_BPC_DISC" SET "LAST_UPDATE_DATE" = sysdate, "COMMENTS" = ''So if i put automatic Xss-filtering i will prevent sql ... It's a very good security practice to escape your data before submitting it into your database. ... to escape the string using the character set of the database. ...'', "LAST_UPDATE_BY" = 'EES_ADMIN' WHERE "ID" = '1'
Why 2 single quotes? It should be in the "It's" that has 2 single quotes. Any clarification? I'm a bit lost here. Thanks.