Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Help to avoid sql injection attack
Help to avoid sql injection attack
  • El Forum
    Guest
  •  
#1
08-06-2011, 07:48 PM

[eluser]Unknown[/eluser]
would you please guide me to secure my query



here is the query
Quote:$id=$_GET['id'];
$sql="select title,picture,news from sport where id='$id'";
$result=mysql_query($sql,$db);



do u think its secure now


Quote:$id = mysql_real_escape_string($_GET['id']);
  • El Forum
    Guest
  •  
#2
08-07-2011, 02:11 PM

[eluser]Bart v B[/eluser]
That can be much simpler Smile
UseActive Records

Code:
function GetData()
{
    $this->db->select('select title,picture,news');
    $this->db->where('id', $_GET['id']);
    $this->db->from('sport');
    
    $query = $this->db->get();
    
    foreach ($q->result() as $row)
    {
        $aData[] = $row;
        
    }
    
    return $aData;
}
  • El Forum
    Guest
  •  
#3
08-07-2011, 07:27 PM

[eluser]CodeIgniteMe[/eluser]
+1 vote for Bart v B's answer.

only trimmed some redundant codes:
Code:
function GetData()
{
    $this->db->select('select title,picture,news');
    $this->db->where('id', $_GET['id']);
    
    $query = $this->db->get('sport');
    
    return $q->result();
}
  • El Forum
    Guest
  •  
#4
08-08-2011, 02:57 PM

[eluser]Bart v B[/eluser]
[quote author="CodeIgniteMe" date="1312784824"]+1 vote for Bart v B's answer.

only trimmed some redundant codes:
Code:
function GetData()
{
    $this->db->select('select title,picture,news');
    $this->db->where('id', $_GET['id']);
    
    $query = $this->db->get('sport');
    
    return $q->result();
}
[/quote]

Pssst... Where is $q comming from? Smile

Code:
function GetData()
{
    $this->db->select('select title,picture,news');
    $this->db->where('id', $_GET['id']);
    
    $query = $this->db->get('sport');
    
    return $query->result();
}
  • El Forum
    Guest
  •  
#5
08-08-2011, 08:09 PM

[eluser]CodeIgniteMe[/eluser]
haha sorry, I didn't see that. I only used your code as a reference :coolsmirk:
  • El Forum
    Guest
  •  
#6
08-08-2011, 08:13 PM

[eluser]CodeIgniteMe[/eluser]
[quote author="Bart v B" date="1312855066"]
Code:
function GetData()
{
    $this->db->select('select title,picture,news');
    $this->db->where('id', $_GET['id']);
    
    $query = $this->db->get('sport');
    
    return $query->result();
}
[/quote]

and one more thing to clean up.
You don't need to include the select keyword in the statement
Code:
$this->db->select('select title,picture,news');
should be
Code:
$this->db->select('title,picture,news');
  • El Forum
    Guest
  •  
#7
08-08-2011, 08:25 PM

[eluser]CodeIgniteMe[/eluser]
Or to make it all so short
Code:
function get_data()
{
    return $this->db->select('title,picture,news')->where('id', $_GET['id'])->get('sport')->result();
}

only works with PHP >= 5.0
Method Chaining
  • El Forum
    Guest
  •  
#8
08-09-2011, 06:32 AM

[eluser]P.T.[/eluser]
Code:
function get_data()
{
    return $this->db->select('title,picture,news')->where('id', $this->input->get('id'))->get('sport')->result();
}




Theme © iAndrew 2016 - Forum software by © MyBB