Reputation: 24521
MySQL Security in CodeIgniter
I am new to CodeIgniter, but not new to PHP, and I was wondering what I needed to do in CodeIgniter in order to make all of my queries secure.
Usually, I just use mysql_real_escape_string() on each variable used in the query (standard PHP), but I watched a tutorial on CodeIgniter, where the author didn't escape the variable and just did a standard insert like the following:
$this->db->query("SELECT * FROM Users WHERE Username = ?", array($username));
Which way is correct?
Upvotes: 2
Views: 1679
Answers (1)
Reputation: 26871
Your example does parameter binding
As you can read in the last paragraph of the above link, binding automatically escapes the value passed to query:
The secondary benefit of using binds is that the values are automatically escaped, producing safer queries. You don't have to remember to manually escape data; the engine does it automatically for you.
Upvotes: 5
Related Questions
- How to avoid SQL injection in CodeIgniter?
- codeigniter query builder and active record sql injection
- Codeigniter php: SQL injection prevent
- Prevent SQL Injection in CodeIgniter
- Codeigniter SQL Injection
- sql injection vulnerability to codeigniter or php
- Prevent SQL injections in codeigniter
- Code Igniter security with insert function
- Security in the codeigniter
- SQL Injection and Codeigniter