CODEWITHSUNDEEP
phpmysqlcodeignitersql-injectioncodeigniter-3
random425
random425

Reputation: 719

Codeigniter 3 SQL Injection query

Supose that $this->input->post('location') holds an array like this:

Array
(
    [0] => 0
    [1] => 1
    [2] => 2
    [3] => 3
    [4] => 4
    [5] => 5
    [6] => 6
    [7] => 7
)

Is this query "Sql Injection" safe?

$in  = str_repeat('?,', count($this->input->post('location')) - 1) . '?';
$sql = "SELECT id 
        FROM location
        WHERE id IN ($in)";
$locations = $this->db->query($sql, $this->input->post('location'));

Thanks!

Upvotes: 2

Views: 1085

Answers (2)

Dimitrios Desyllas
Dimitrios Desyllas

Reputation: 10166

Ase seen on http://www.codeigniter.com/user_guide/database/queries.html Yes it is safe to do like that. But You need only one '?'.

So the code should be like this:

$sql = "SELECT id 
        FROM location
        WHERE id IN (?)";
$locations = $this->db->query($sql, $this->input->post('location'));

Upvotes: 1

Atural
Atural

Reputation: 5439

i'm unsure if this is worth an answer, but i'm doing it anyway, yes your query is safe like alex said in the comments but what i don't understand is the unnecessary complexity with str_repeat - i'm not sure but there are alternatives in CI to write down a query like that:

$query = $this->db
            ->select("id")
            ->from("location")
            ->where_in("id",$this->input->post("location"))
            ->get();

The query above, does the job too. Am i overlooking something here or are you just unaware about the built in query builder ?

Upvotes: 3

Related Questions