Does CodeIgniter Automatically Prevent SQL Injection?
So, Does CodeIgniter Automatically Prevent SQL Injection?. The answer is no.
SQL Injection, according to wikipedia, "is a code injection technique that exploits a security vulnerability occurring in the database layer of an application".
CodeIgniter doesn't prevent this but it has the capacity to clean SQL. There are two ways CodeIgniter does this:
One is through Binding:
No Binding:
$this->db->query('INSERT INTO table_name (column1, column2) VALUES (val1, val2)');
With Binding:
$this->db->query('INSERT INTO table_name (column1, column2) VALUES (?, ?)');
Second is through the CodeIgniter Active Record Class:
No Active Record:
$this->db->query('INSERT INTO table_name (column1, column2) VALUES (val1, val2)');
With Active Record:
$this->db->insert('table_name', array('column1' => 'val1', 'column2' => 'val2'));
Almost all frameworks offer some kind of protection from SQL injections. This is how CodeIgniter does it.
Categories: How To, Web Development
Tags: codeigniter, php
2 Comments
Manny
This was a great help to me as a CI newbie. Hope to see more articles from you on CodeIgniter.
November 2nd 2009
Mark
Very nice article indeed. I learned a few things - for example, I didn’t know about binding :P
November 2nd 2009