1

Just read this on Stack overflow and thus left me wondering if SQL injection is possible through active records in CI.

At most of the places in my project, for user registration and user profile update, I have done SQL insertions like this :

Controller :

$name = $this->input->post('name');
$last_name = $this->input->post('last_name');
$age = $this->input->post('dob');

$user_data = array(
    'name' => $name,
    'last_name' => $last_name,
    'age' => $age
);

$this->user_model->add_user_function($user_data);

Model:

function add_user_function($data)
{
    $this->db->insert('user_table',$data);
    return;
}

Just like the example in the SO link above, is my code vulerable to SQL injection?
Can you give a particular example if it is possible to harm my system, and how can I prevent if it exists.

Community
  • 1
  • 1
Nishant Jani
  • 1,965
  • 8
  • 30
  • 41

2 Answers2

8

There are 2 safety features already provided by CodeIgniter for your case.

  1. XSS filtering for your user input : Input Class has second boolean parameter for its methods, which lets you run the input through a XSS filter in case you do not have global xss filter on.

  2. For SQL injections, using binded queries and Active records is safe, it will save you from SQL injections as the framework does all of the work of escaping vulnerable user input. There are few vulnerabilities with Active records, that are reported by users, they are however fixed quickly in suqsequent releases by the CodeIgnitor team ( EllisLabs)

DhruvPathak
  • 42,059
  • 16
  • 116
  • 175
1

CodeIgniter is strip slashing the quotes and vulnerable scripts when using active records rather than running direct SQL queries.. So no wories for using Active records...

mysql_real_escape_string and some checks are done internally when its generating the SQL query to run..

Saty
  • 22,443
  • 7
  • 33
  • 51
Arun David
  • 2,714
  • 3
  • 18
  • 18