Function - how to avoid sql injection in codeigniter

De openkb
Aller à : Navigation, rechercher

Sommaire

Questions

In CodeIgniter, how can I avoid sql injection? Is there any method to set in config file to avoid sql injection? I am using this code for selecting values: 

$this->db->query("SELECT * FROM tablename WHERE var= $val1 ");

and this for inserting values: 

$this->db->query("INSERT INTO  tablename (`var1`,`var2`) VALUES ( $val1 , $val2 )");

Another method used to insert and select values from the database is CodeIgniter s insert() and get() methods. Is any chance to sql injection while using CodeIgniter s bulit-in functions

Answers

https://www.codeigniter.com/userguide2/database/active_record.html https://www.codeigniter.com/userguide2/database/active_record.html 

$this->db->select( * )->from( tablename )->where( var , $val1);
$this->db->get();

or 

$this->insert( tablename , array( var1 =>$val1,  var2 =>$val2));

https://www.codeigniter.com/userguide2/database/queries.html https://www.codeigniter.com/userguide2/database/queries.html 

$sql =  SELECT * FROM tablename WHERE var = ? ;
$this->db->query($sql, array($val1));

https://www.codeigniter.com/userguide2/database/helpers.html https://www.codeigniter.com/userguide2/database/helpers.html 

$sql = $this->db->insert_string( tablename , array( var1 =>$val1,  var2 =>$val2));
$this->db->query($sql);

https://www.codeigniter.com/userguide2/database/queries.html https://www.codeigniter.com/userguide2/database/queries.html 

$val1 = $this->db->escape($val1);
$this->db->query("SELECT * FROM tablename WHERE var=$val1");

Source

License : cc by-sa 3.0

http://stackoverflow.com/questions/5857386/how-to-avoid-sql-injection-in-codeigniter

Related

Récupérée de « http://openkb.fr/index.php?title=Function_-_how_to_avoid_sql_injection_in_codeigniter&oldid=10526 »
Outils personnels
Espaces de noms

Variantes
Actions
Navigation
Outils