-5

I have a question about this query, does codeigniter prevent SQL injection when we use this query:

$this->db->like(); 
$query = $this->db->get();
lolilap
  • 1
  • 4
  • Please include the contents of the query. – Shawn Feb 03 '15 at 18:50
  • @Shawn the question is simple : did codeigniter prevent SQL injection when we use the abot query or no, why do you want contents of the query ??????????? the answer should be yes or no . – lolilap Feb 03 '15 at 19:09
  • Because it may be that the query failed because the array is empty or has some other bug in it. Need all details to be thorough. – Shawn Feb 03 '15 at 19:21
  • @Shawn you didn't understand my question at all . the question is about this $this->db->like(); $this->db->get(); its not about the array or the content is about the query itself – lolilap Feb 03 '15 at 19:33
  • I understand what you are asking but I am saying the content of the data may be why you are not getting results. :-) – Shawn Feb 03 '15 at 19:41
  • @Shawn i don't know how to explain it ; it's not about the content not content not not not not content i'm talking about the query itself where is the content in this $this->db->like(); this is no content in this query just $this and db and like no content in this did you understand now – lolilap Feb 03 '15 at 20:14
  • 2
    I've done development in codeignitor since v1.0.1 and theres many reasons a get wont work but you won't explore those options so what else can i say? – Shawn Feb 03 '15 at 20:24
  • Read your question. Read our answers. I have said below: Yes they help with SQL Injection attacks. Also @Shawn went into more detail, because in order to see if it is susceptible to SQL Injection knowing what specifically you are passing is very important. Furthermore, your response to our clarifying questions are rude and uncalled for, if you want any further help you will need to find it in the documentation yourself. – JaeGeeTee Feb 03 '15 at 20:29
  • @JaeGeeTee if you ask me if a function prevent SQL injection for example this function ($a) { insert to db $a } my response will be no this function doesn't prevent sql injection because she doesn't contain mysql_real_escape_string(). i will not talk about the variable $a because he don't have any relation with the function – lolilap Feb 03 '15 at 20:34
  • @JaeGeeTee i found the answer in a video . the answer is yes codeigniter prevent SQL injection when we use active record because active record class take care about this .did you see how the answer is ; no content is involved . – lolilap Feb 03 '15 at 20:50

1 Answers1

1

Despite lolipaps bad attitude may as well offer an answer that actually responds to this code.

First off, this will never work so the question of whether it prevents SQL injection is moot. In order to actually get anything back from this you would need to define both the like conditions and the table from which to perform the get. eg

$this->db->like('field','string');
$this->db->get('table');

Additionally it can never be vulnerable to SQL injection as in the example code (the code we are supposed to help support) there are no arguments passed. If the code was even close to being a viable real world example it might look like this

$some_input=$this->input->post('something_from_the_outside_world');

$this->db->like('field',$some_input); //maybe the question is whether this is sanitized??
$this->db->get('table');

If the question is whether this input is sanitized for SQL injection then the answer is yes of course it is or what's the point of the Active Record class.

If you want to further clean this for cross site scripting you either need to define this in the config.php file. eg

$config['global_xss_filtering'] = TRUE;

Or use the form validation library and run the rule xss_clean

Mike Miller
  • 3,071
  • 3
  • 25
  • 32
  • like this answer i'm looking for . not like above answer where they are asking me about the content of like() or table name . – lolilap Feb 03 '15 at 22:13
  • I think what they wanted to see was an example of what you are sending and how you are sending it. I believe their intentions were entirely honourable and in a general sense it's nice to be nice. Glad this helped out – Mike Miller Feb 03 '15 at 22:17
  • i edited the question the query i post at the first is this $this->db->like($my_array); $query = $this->db->get($from); but they keep asking me about the content of the query than i remove it . anyway thanks for your help , i'm nerves this day that's why i behave like that i guess – lolilap Feb 03 '15 at 22:26
  • No probs glad I could help – Mike Miller Feb 03 '15 at 22:32