Showing posts with label Prevent SQL injection in Codeigniter (CI). Show all posts
Showing posts with label Prevent SQL injection in Codeigniter (CI). Show all posts

Prevent SQL injection in Codeigniter (CI)

Prevent SQL injection in Codeigniter (CI)


SQL injection is an attack made on database query.  In PHP, we are use mysql_real_escape_string()
function to prevent this along with other techniques but codeigniter provides inbuilt function and libraries to prevent this.Join Queries

Prevent SQL injection in Codeigniter (CI)
Prevent SQL injection in Codeigniter (CI)


We can prevent SQL Injection in CodeIgniter in the following three ways  

Escaping Queries
Query Biding
Active Record Class



Escaping Queries
<?php
$name = $this->input->post('uname');
$cn = 'SELECT * FROM tbl_users WHERE user_name='.$this->db->escape($name);
$this->db->query($cn);
?> 
Here $this->db->escape() determines the data type so that it can escape only string data.
It also automatically adds single quotes around the data so you don’t have to do that as well.

Preventing SQL injection in Codeigniter using Query Binding Method 

<?php
    $sql = "SELECT * FROM subscribers_tbl WHERE status = ? AND email= ?";
    $this->db->query($sql, array('active', 'dev2tricks.com.in'));
?>
The query are automatically replaced with the values in the array in the second parameter of the query function.

in Query Binding Method, you don’t have to escape the values manually as it will automatically do that for you.


Preventing SQL injection in Codeigniter using Active Record Class

<?php
   $this->db->get_where('subscribers_tbl',array('status' => 'active','email' => 'dev2tricks.com.in'));
?>