In my project I use $this->input->(get|post) to pass data to models. In models I always use active records. Is this enough to prevent sql injections ?
+2
A:
No, it isn't. Edit: Yes it is...didn't see your comment about you using active records. You either need to escape your inputs manually using PHP's or CodeIgniter's escaping functions or you should be using CodeIgniter's query bindings or you can use CodeIgniter's Active Record class. I prefer to do the query bindings as it a) makes my queries look nicer and b) ensures that all of my inputs are cleansed prior to being run in MySQL.
http://codeigniter.com/user_guide/database/queries.html
This works like this:
$qStr = "SELECT * FROM students WHERE id=?";
$q = $this->db->query($qStr, array($id);
CodeIgniter will recognize what type of data your variable is, and wrap it accordingly. That is, if it's a string, it will put ' and ' around the escaped value in the SQL, which is what you need to ensure that users can't inject anything malicious.
treeface
2010-10-12 18:45:06
If I choose to use query bindings I`m be deprived of the idea of active records. Is any other solution out there ?
adaxa
2010-10-12 19:06:44
If you're using the Active Record class, CI will automatically escape query values when it constructs the SQL. So, in short, yes you have done enough to prevent injects. Important to note, though: XSS filtering on POST and GET inputs is unrelated to preventing SQL injection. CI handles SQL injection prevention by using their built-in escaping classes in the Active Record class and in query bindings. CI prevents XSS attacks by filtering HTTP request values through their XSS library. Both work quite well.
treeface
2010-10-12 19:09:33
This is what I needed
adaxa
2010-10-12 19:29:51