CODEWITHSUNDEEP
phpmysqlcodeigniterinsertescaping
busytraining
busytraining

Reputation: 773

codeigniter escaping using Active Record Class for sql injections

From what I understand using $this->db->insert() escapes the values:

http://codeigniter.com/user_guide/database/active_record.html#insert

Note: All values are escaped automatically producing safer queries.

But when I look into mysql, my inputs are not escaped, is it for some reason removed some how?

Worried about sql injections here, thats why I'm asking.

Upvotes: 1

Views: 4744

Answers (2)

user1440875
user1440875

Reputation:

When you escape a string for SQL statements it doesn't necessarily mean that you should see backslashes added when you look into the data later. It means that certain characters will be escaped and the SQL statement will run without any errors. Try inserting data with mysql_real_escape_string

LINE: 557 https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Input.php

if ( ! is_php('5.4') && get_magic_quotes_gpc())
{
    $str = stripslashes($str);
}

And then

LINE: 285 https://github.com/EllisLab/CodeIgniter/blob/develop/system/database/drivers/mysql/mysql_driver.php

$str = is_resource($this->conn_id) ? mysql_real_escape_string($str, $this->conn_id) : addslashes($str);

The string is passed through mysql_real_escape_string or addslashes. Hence, we can say that safety measures against SQL injections are taken into account.

Upvotes: 2

dmmd
dmmd

Reputation: 3009

BY "escaped" they mean replacing this:

SELECT * FROM table1 WHERE field1 LIKE "some string with " quotes"

for this:

SELECT * FROM table1 WHERE field1 LIKE "some string with \" quotes"

If you want to make sure your strings are escaped before saving it, consider using the $this->db->escape* methods: http://codeigniter.com/user_guide/database/queries.html

Also, check:

Upvotes: 0

Related Questions