luka032
luka032

Reputation: 955

Codeigniter php: SQL injection prevent

I've finished one application, but while developing haven't checked about sql injections and now at the end, i need to fix this little issue.

Here's my code, how could i on easiest way fix this to prevent sql injection (is there any function just to format my username, password parameters, not to change my code).

public function getArtistByUsernameByPassword($username, $password) {
    $query = $this->db->query("SELECT * FROM artists WHERE username = '$username' AND  password = ' $password'");
    if ($query->num_rows() > 0) {
        return $query->row_array();
    }
    return null;
}

Thanks in advance!

Upvotes: 0

Views: 430

Answers (2)

TheDrot
TheDrot

Reputation: 4337

Use Codeigniter's query builder class.

So your code would look like this.

$query = $this->db->get_where('artists', array('username' => $username, 'password' => $password));

Upvotes: 1

fatihn
fatihn

Reputation: 147

Use db->escape() and db->escapestr() functions to avoid sql injection...

Upvotes: 0

Related Questions