Welcome Guest, Not a member yet? Register   Sign In
SQL Injection protection in CodeIgniter

Hello, I have an application which inserts post data into the database. The problem is that if I put sth', 'sth in the text field, it creates a database error, because it tries to insert two fields data in only one:

INSERT INTO md5_decryptor (characters,md5) VALUES ('sth', 'sth','29f14c6f1851e7766ae69fdf4ca0c1c3');

I have the global XSS filtering enabled.

Without actual code it's difficult for us to guess what is wrong.

Some ideas:
- your not using CI's active record, but code your queries by hand without proper escaping
- you use data from $_POST, not via $this->input->post

XSS filtering doesn't do anything with quotes in an input field, they are perfectly legal. They need to be escaped though if you use them in a query.

I'm not scaping the queries, how can I do that?

If you use CI's active record, CI does that for you. See the user manual.

I have used it but I get this error:

Unknown column 'Razican' in 'where clause'

UPDATE `users` SET `last_IP` = 'x.x.x.x' WHERE `username` = Razican

EDIT: My fault

EDIT: It works fine now, thanks.

Theme © iAndrew 2016 - Forum software by © MyBB