0

I was wondering if when using the database library in Codeigniter there was a way to automatically escape all the inputs to prevent injection. I know I can use mysql_real_escape_string() to do it, but I wondered it this was already setup to do this automatically, if not are there any frameworks that have this included?

Thanks!

Improve this question
4
  • 2
    Use prepared statements so you can say bye bye to mysql_real_escape_string(). Commented Oct 20, 2010 at 22:57
  • Forgive me, By prepared statements do you mean a function which cleanses all the variables and then puts them in the db? Commented Oct 20, 2010 at 23:06
  • No, he means prepared statements. Commented Oct 20, 2010 at 23:08
  • As Pete said any MVC framework should have it's own functions for interfacing with your db and take care of the repetitive stuff. Commented Oct 20, 2010 at 23:10

3 Answers 3

Reset to default
2

In order to use prepared statements, you can simply use query bindings with CodeIgniter.

$query = 'SELECT id, name FROM user WHERE name = ?';
$bind = array('Jake');
$this->db->query($query, $bind);

More info found here.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

CakePHP runs all model queries through its own methods, if you use the model methods it automatically sanitizes any data passed to the query for you. i.e

$options['conditions'] = array('Product.status'=>$status);
$this->Product->find('first',$options);
Improve this answer

Comments

1

Right, pretty much all frameworks that implement any sort of database abstraction/ORM layer will automatically mysql_real_espace your queries. If you don't want to use an entire framework, consider a generic ORM library like Propel or Doctrine. Alternatively, look into prepared statements.

Improve this answer

2 Comments

Thank you for your response, with a default installation of CodeIgniter, I added in the database library and I can insert quotes into a text input which then is sent to an Update query (using the database helper) and it results in a syntax error. So perhaps there is further configuration with CodeIgniter?
@Pete Sorry, I don't understand what you're asking. From your question I thought you were already familiar with CodeIgniter and are looking for ORM libraries like the one CI uses, which doesn't require any manual escaping...? Personally I have no experience with CI, so I can't tell you any specifics about it.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.