In the web application security, SQL injections are place a very important role. To prevent SQL injections in PHP, we usually use mysql_real_escape_string()
function along with other techniques.
In codeIgniter ,we no need to use mysql_real_escape_string() function, Codeigniter provides inbuilt functions and libraries to generate SQL queries by using those methods or functions we can avoid SQL injections.
There are three methods to prevent SQL injections in Codeigniter application, they are
1) Escaping Queries
2) Query Binding
3) Active Record Class
Preventing SQL injection in Codeigniter using Escaping Query Method
Example:
1 2 3 4 5 |
<?php $email= $this->input->post('email'); $query = 'SELECT * FROM subscribers_tbl WHERE user_name='.$this->db->escape($email); $this->db->query($query); ?> |
Here $this->db->escape() determines the data type so that it can escape only string data.
It also automatically adds single quotes around the data so you don’t have to do that as well.
Preventing SQL injection in Codeigniter using Query Binding Method
1 2 3 4 |
<?php $sql = "SELECT * FROM subscribers_tbl WHERE status = ? AND email= ?"; ?> |
The question marks in the query are automatically replaced with the values in the array in the second parameter of the query function.
in Query Binding Method, you don’t have to escape the values manually as it will automatically do that for you.
Preventing SQL injection in Codeigniter using Active Record Class
Using Active Records, query syntax is generated by each database adapter. It also allows for safer queries, since the values are escaped automatically by the system.
1 2 3 |
<?php ?> |
I hope you like this Post, Please feel free to comment below, your suggestion and problems if you face - we are here to solve your problems.
I am Arjun from Hyderabad (India). I have been working as a software engineer from the last 7+ years, and it is my passion to learn new things and implement them as a practice. Aside from work, I like gardening and spending time with pets.
good 22 i like your post…
For Oracle Db, Query Binding Method just replace Double , Not work in Codeignator.