Does CodeIgniter automatically prevent SQL injection?

CodeIgniter DOES ESCAPE the variables you pass by when using the $this->db->query method. But ONLY when you pass the variables as binds, here’s an example:

$dbResult = $this->db->query("SELECT * FROM users WHERE username = ?", array($this->input->post('username')));

Also remember that $_POST shouldn’t be preferred over $this->input->post since what it does is check if the variables exists to prevent errors.

More Related Contents:

CodeIgniter Disallowed Key Characters
subquery in codeigniter active record
Convert string to ObjectID in MongoDB
Codeigniter – no input file specified
codeigniter CSRF error: “The action you have requested is not allowed.”
Codeigniter image resize?
Removing specific items from array with MongoDB
How to rewrite the index.php of Codeigniter on Windows Azure
HTTP OPTIONS error in Phil Sturgeon’s Codeigniter Restserver and Backbone.js
Uploading a csv into Codeigniter
Using Mysql WHERE IN clause in codeigniter
Constructor session validation for different functions
How to upload image in CodeIgniter?
COUNT / GROUP BY with active record?
Correct naming structure for CodeIgniter
PostgreSQL next value of the sequences?
How to avoid SQL injection in CodeIgniter?
How to integrate codeIgniter with netbeans fully
Where do I put image files, css, js, etc. in Codeigniter?
Upstream too big – nginx + codeigniter
how to load view into another view codeigniter 2.1?
how to validate array value in codeigniter
CodeIgniter session class not working in Chrome
codeigniter table join
Codeigniter select query with AND and OR condition
codeigniter : Commands out of sync; you can’t run this command now
How does the SQL injection from the “Bobby Tables” XKCD comic work?
Non-web SQL Injection
How do I remove ‘index.php’ from URL in CodeIgniter?
Routes in Codeigniter – Automatically

More Related Contents:

Leave a Comment Cancel reply