Reputation: 24521
I am new to CodeIgniter, but not new to PHP, and I was wondering what I needed to do in CodeIgniter in order to make all of my queries secure.
Usually, I just use mysql_real_escape_string()
on each variable used in the query (standard PHP), but I watched a tutorial on CodeIgniter, where the author didn't escape the variable and just did a standard insert like the following:
$this->db->query("SELECT * FROM Users WHERE Username = ?", array($username));
Which way is correct?
Upvotes: 2
Views: 1679
Reputation: 26871
Your example does parameter binding
As you can read in the last paragraph of the above link, binding automatically escapes the value passed to query:
The secondary benefit of using binds is that the values are automatically escaped, producing safer queries. You don't have to remember to manually escape data; the engine does it automatically for you.
Upvotes: 5