0

Hello i want to know why this kind of example question never been asked before. i got this code from my college that they say this kind of code is able to prevent sql injection

we use codeigniter to build a website and here is the code to prevent sql injection

Controller

$usr = $this->input->post('userid');
$pwd = $this->input->post('passwd');

if($usr && $pwd) {
                $ack = $this->mAuth->get_user($usr);
$pwx = $ack['passwd'];
                    if($ack && $pwd == $pwx) {
                        //redirect code
}

model

public function get_user($user_id='', $status=1) {
        $user_id = $this->db->escape(trim($user_id));
        $status  = $status ? 'and user_status_uid = 1' : '';

        $sql = "select * from users where user_id = lower($user_id)"

        return rst2Array($sql, 'row');
    }

i tried to login with 1' or 1 = 1 and etc i found and it did prevent sql injection even though it's only a plain text and password.

is there any vulnerability to this code? thanks

Gamma
  • 331
  • 1
  • 3
  • 15
  • 1
    If you want to prevent sql-injection never build sql-queries including data via string-concatenation. – Yoshi Aug 20 '14 at 08:12
  • 1
    Check this question: http://stackoverflow.com/questions/1615792/does-code-igniter-automatically-prevent-sql-injection – Gerifield Aug 20 '14 at 08:12
  • 1
    this code if($ack && $pwd == $pwx) { //redirect code } it actually prevent injection to login as anyone right? can someone actually have any example? – Gamma Aug 20 '14 at 09:44

1 Answers1

1

To put it simply: the "magic" is in the $this->db->escape function. It adds quotes around string values and escapes them properly for SQL syntax. See https://ellislab.com/codeigniter/user-guide/database/queries.html.

Barring any bugs in that function, it indeed prevents SQL injection in this case.

deceze
  • 510,633
  • 85
  • 743
  • 889