Welcome Guest, Not a member yet? Register   Sign In
SQL Injection problem
#1

(This post was last modified: 03-06-2018, 06:29 AM by ChrisPL.)

I'm begginer with CodeIgniter and I stucked on problem with counting. 

I try to count records in my database using code below:

$count = $this->db->where(['title'=> $this->input->post('title'), 'name'=> $this->input->post('name')])->from("table")->count_all_results();

Then I check the query in development using code below:

echo $this->db->last_query();

Everything is ok, if I send data like title: test1 and name: test2:

SELECT COUNT(*) AS `numrows` FROM `table` WHERE `title` = 'test1' AND `name` = 'test2'

[font=Roboto, Helvetica, Arial, sans-serif]But if I send data similar to SQL Injection: test1 AND id = 1' it changes to: [/font]

[font=Roboto, Helvetica, Arial, sans-serif][font=Roboto, Helvetica, Arial, sans-serif]SELECT COUNT(*) AS `numrows` FROM `table` WHERE `opis` = 'test1 AND `id` = 1\'' AND `nazwisko` = 'test2'[/font][/font]

[font=Roboto, Helvetica, Arial, sans-serif][font=Roboto, Helvetica, Arial, sans-serif]How to prevent changing in this query id to `id` ? If I send data "test1 ANDY = 1' the query is without ` around id.[/font][/font]
Reply
#2

(This post was last modified: 03-05-2018, 01:44 AM by ciadmin. Edit Reason: Removed non-English )

Maybe it will help you: https://stackoverflow.com/questions/1615...-injection
Reply




Theme © iAndrew 2016 - Forum software by © MyBB