Welcome Guest, Not a member yet? Register   Sign In
Prevent SQL Injection for Oracle Database
#1

[eluser]asyafrudin[/eluser]
Hi, I'm new here. I wanted to confirm something about SQL Injection in CodeIgniter. The documentation (and many other articles I've come across on the Internet) said that using CodeIgniter's Active Record Class should be enough to prevent SQL Injection. However, that doesn't seem to be the case when I'm using it against an Oracle database.

When I submit the typical "1' or 'x' = 'x" through a web form, it does the magic of retrieving all the records inside the underlying table. So currently I concluded that CodeIgniter does not prevent SQL Injection _for Oracle Database_. Yes, I emphasize Oracle because after looking at both driver classes, i.e. oci8_driver and mysql_driver, it is clear that mysql_driver has way better string-escaping mechanism.

What I wanted to ask was should I hack the oci8_driver to accommodate my needs or are there any other way to prevent SQL Injection for Oracle?

Thanks.
#2

[eluser]phpfresher[/eluser]
may be this function will work
Code:
oci_bind_by_name
#3

[eluser]asyafrudin[/eluser]
Hi,

Thanks for the suggestion. Although I've already decided to use html_escape function provided by CodeIgniter to escape post form data whenever necessary.
#4

[eluser]CroNiX[/eluser]
Have you tried using bindings?




Theme © iAndrew 2016 - Forum software by © MyBB