[eluser]tical[/eluser]
I know CI is meant to escape SQL queries against SQL Injection when Active Records is used, however, I decided to actually test it, and to my confusion, I can beat it very simply when submitting html entity codes.
In my example, data is retrieved from a text input field using:
Code:
$this->input->post('my_field');
If I was to submit the value:
Code:
1' OR `column` != '1
And enter it into an Active Record query as follows:
Code:
$data = $this->input->post('my_field'); // Value = 1' OR `column` != '1
$this->db->get_where('my_table', array('column' => $data));
echo $this->db->last_query();
It outputs the MySQL statement:
Code:
SELECT * FROM `my_table` WHERE `column` = '1' OR `column` != '1'
Which in this example would return every record in the table.
Is this a serious bug, or is something wrong with my implementation?
I'm using CI 2.0.2 Reactor.