max_
max_

Reputation: 24521

MySQL Security in CodeIgniter

I am new to CodeIgniter, but not new to PHP, and I was wondering what I needed to do in CodeIgniter in order to make all of my queries secure.

Usually, I just use mysql_real_escape_string() on each variable used in the query (standard PHP), but I watched a tutorial on CodeIgniter, where the author didn't escape the variable and just did a standard insert like the following:

$this->db->query("SELECT * FROM Users WHERE Username = ?", array($username));

Which way is correct?

Upvotes: 2

Views: 1679

Answers (1)

Tudor Constantin
Tudor Constantin

Reputation: 26871

Your example does parameter binding

As you can read in the last paragraph of the above link, binding automatically escapes the value passed to query:

The secondary benefit of using binds is that the values are automatically escaped, producing safer queries. You don't have to remember to manually escape data; the engine does it automatically for you.

Upvotes: 5

Related Questions