Create account



CodeIgniter.com Twitter      


  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Thread Modes
How to prevent SQL injection?

El Forum
Guest
 
#1
01-04-2013, 05:17 AM
[eluser]Volkof[/eluser]
Hi all,

Is there a way to prevent SQL injection?

In my view, I have a textarea to enter comments, but if the user enter something like

Code:
You know what, I'm sure this review is fine

You can see that there is an Apostrophe


Then this is gonna cause syntax error in my model;
Code:
$sql = "INSERT INTO Comment (comment, userID, reviewID)
  VALUES ('".$comment."', '".$userID."', '".$reviewID."')";
  $query = $this->db->query($sql);


Thanks in advance

El Forum
Guest
 
#2
01-04-2013, 07:08 AM
[eluser]PhilTem[/eluser]
Use CI's AR-class, use the db->escape method, or perform query bindings.

Code examples can be found in the user's guide.

El Forum
Guest
 
#3
01-04-2013, 09:18 AM
[eluser]Unknown[/eluser]
[quote author="Volkof" date="1357301854"]Hi all,

Is there a way to prevent SQL injection?

In my view, I have a textarea to enter comments, but if the user enter something like

Code:
You know what, I'm sure this review is fine

You can see that there is an Apostrophe


Then this is gonna cause syntax error in my model;
Code:
$sql = "INSERT INTO Comment (comment, userID, reviewID)
  VALUES ('".$comment."', '".$userID."', '".$reviewID."')";
  $query = $this->db->query($sql);


Thanks in advance[/quote]
Simply do,
Code:
$this->db->query("INSERT INTO Comment (comment, userID, reviewID)
  VALUES (?, ?, ?)", array($comment, $userID, $reviewID));


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.