Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming How to prevent SQL injection?
How to prevent SQL injection?
  • El Forum
    Guest
  •  
#1
01-04-2013, 05:17 AM

[eluser]Volkof[/eluser]
Hi all,

Is there a way to prevent SQL injection?

In my view, I have a textarea to enter comments, but if the user enter something like

Code:
You know what, I'm sure this review is fine

You can see that there is an Apostrophe


Then this is gonna cause syntax error in my model;
Code:
$sql = "INSERT INTO Comment (comment, userID, reviewID)
  VALUES ('".$comment."', '".$userID."', '".$reviewID."')";
  $query = $this->db->query($sql);


Thanks in advance
  • El Forum
    Guest
  •  
#2
01-04-2013, 07:08 AM

[eluser]PhilTem[/eluser]
Use CI's AR-class, use the db->escape method, or perform query bindings.

Code examples can be found in the user's guide.
  • El Forum
    Guest
  •  
#3
01-04-2013, 09:18 AM

[eluser]Unknown[/eluser]
[quote author="Volkof" date="1357301854"]Hi all,

Is there a way to prevent SQL injection?

In my view, I have a textarea to enter comments, but if the user enter something like

Code:
You know what, I'm sure this review is fine

You can see that there is an Apostrophe


Then this is gonna cause syntax error in my model;
Code:
$sql = "INSERT INTO Comment (comment, userID, reviewID)
  VALUES ('".$comment."', '".$userID."', '".$reviewID."')";
  $query = $this->db->query($sql);


Thanks in advance[/quote]
Simply do,
Code:
$this->db->query("INSERT INTO Comment (comment, userID, reviewID)
  VALUES (?, ?, ?)", array($comment, $userID, $reviewID));




Theme © iAndrew 2016 - Forum software by © MyBB