-1

I am working on codeigniter project. How can I know queries function in my models are preventing the sql injection. Even I'm using different ways to insert data but how can i make sure that which one is safe .

Here's my code:

1) *****************
    $data = array(
   'name' => $_POST['name'],
   'email' => $_POST['email'],
   'phone' => $_POST['phone'],
   'city' => $_POST['city'],
   'current_salary' => $_POST['current_salary'],
   'expected_salary' => $_POST['expected_salary'],
   'reume_link' => $file_name,
   'status' => 0,
   );
   $this->db->insert('my_table_name', $data);

2) **************************
    $query = $this->db->query('SELECT  distinct(name) as name   FROM `my_table_name` WHERE city like "%'.$_POST['state'].'%" ');
    $res = $query->result_array();

3) **************************    
    $query = $this->db->query("insert into my_table_name(nid,sid,cid,data) values('766','$sid',1,'".$_POST['adm_name']."')");

Are the codeigniter function prevent sql injection default or I strictly need to use prepare statement / bind parameter.

Are the simple CI function not safe to use ?

Narendrasingh Sisodia
  • 21,247
  • 6
  • 47
  • 54
Vipul sharma
  • 1,245
  • 1
  • 13
  • 33
  • 1
    You should always use prepared statements. – Jay Blanchard Jul 09 '15 at 11:58
  • (1) is perfectly fine. Both (2) and (3) good examples of what not to do. It's not even more readable to eschew the reliable approach. So what's the purpose of this question? – mario Jul 09 '15 at 12:05
  • Check this [link](http://stackoverflow.com/questions/5857386/how-to-avoid-sql-injection-in-codeigniter); – Saty Jul 09 '15 at 12:11
  • @mario things you explain really helpful for me . You mean $this->db->query('my query ') needs to use escape function for every entity. – Vipul sharma Jul 09 '15 at 12:19
  • 1) is fine each var will be escaped correctly and will be safe. For extra safety you can tell it the use the mysqli or pdo libraries which will use prepared statements. 2 + 3) Don't EVER use queries like this in a production environment. – mic Jul 09 '15 at 12:39

5 Answers5

1

You should use $this->db->escape_str for every variable you put inside your query. Another option (even a better one) is to use prepared statements.

Dekel
  • 60,707
  • 10
  • 101
  • 129
1

Here is an example of how to use prepared statements - 

$sql = 'SELECT distinct(name) name FROM `my_table_name` WHERE city like ?';
$query = $this->db->query($sql, array("%$_POST[state]%"));

means you have to substitute actual data with ? marks and pass it in the form of array as a second parameter.

Most of ActiveRecord methods (like insert, get and such) are safe too, as long as you are following guidelines.

Flexo
  • 87,323
  • 22
  • 191
  • 272
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
0

If you were using CodeIgniter's Active Record methods it'll automatically escape queries for you to prevent injection.

$this->db->select('*');
$this->db->from('table_name');
$this->db->where('column_name', $val1);
$this->db->get();

If you don't want to use CI Active Records then there's a function i.e $this->db->escape() in CI 

$data1 = $this->db->escape($data1);
$this->db->query("SELECT * FROM table_name WHERE var = '$data1'");

Or you can use query bindings as

$sql = 'SELECT * FROM table_name WHERE var = ?';
$this->db->query($sql, array($var));

Even instead of using $_POST and $_GET CI have its method of $this->input->post() and $this->input->get() respectively

Narendrasingh Sisodia
  • 21,247
  • 6
  • 47
  • 54
-1

For protection always use $this->input->post('name_of_input') and $this->input->get('name_of_input') instead of $_POST[] & $_GET[]

Saty
  • 22,443
  • 7
  • 33
  • 51
acesta
  • 79
  • 11
-1

check this link for documentation

in config.php set 

$config['global_xss_filtering'] = True;

or use xss_clean in validation, check the link for documentation

parth
  • 1,803
  • 2
  • 19
  • 27