codeigniter

Does CodeIgniter automatically prevent SQL injection?

CodeIgniter DOES ESCAPE the variables you pass by when using the $this->db->query method. But ONLY when you pass the variables as binds, here’s an example: $dbResult = $this->db->query(“SELECT * FROM users WHERE username = ?”, array($this->input->post(‘username’))); Also remember that $_POST shouldn’t be preferred over $this->input->post since what it does is check if the variables exists … Read more

subquery in codeigniter active record

->where() support passing any string to it and it will use it in the query. You can try using this: $this->db->select(‘*’)->from(‘certs’); $this->db->where(‘`id` NOT IN (SELECT `id_cer` FROM `revokace`)’, NULL, FALSE); The ,NULL,FALSE in the where() tells CodeIgniter not to escape the query, which may mess it up. UPDATE: You can also check out the subquery … Read more

CodeIgniter Disallowed Key Characters

The problem is you are using characters not included in the standard Regex. Use this: !preg_match(“/^[a-z0-9\x{4e00}-\x{9fa5}\:\;\.\,\?\!\@\#\$%\^\*\”\~\’+=\\\ &_\/\.\[\]-\}\{]+$/iu”, $str) As per the comments (and personal experience) you should not modify they Input.php file — rather, you should create/use your own MY_Input.php as follows: <?php class MY_Input extends CI_Input { /** * Clean Keys * * This … Read more