codeigniter query builder and active record sql injection

Question

since my last question in SO, I've been reading a bit about how to prevent sql injection and many people mentioned active records class. but when I google it, it only exists in codeigniter 2.

so my questions are:

1. is Query Builder Class in codeigniter 3 the upgraded version of Active Record Class or do they serve different purposes?

2. is it enough (in general) to use Query Builder Class methods like $this->where('field', $foo); instead of $this->where("field = '$foo'"); to prevent sql injection?

P.S. I'm using codeigniter 3 and mysql

Answer 1

1- ActiveRecord was in Codeigniter 2, but in Codeigniter 3 you have QueryBuilder instead. The both classes do same work for you, maybe QueryBuilder is improved version of ActiveRecord. In other frameworks like Yii2, ActiveRecord is an ORM not only query string builder but in CI was simple query builder.

2- Codeigniter will escape all passed parameters automatically but I suggest you validate your inputs before running queries. For example, the value of a numeric id field should be a number, not a string so the rule of ID input should be INTEGER. You can see Validation in Codeigniter 3 at official documentation: https://www.codeigniter.com/userguide3/libraries/form_validation.html

All works that you should do is pass your field value as a function parameter, not as a string (field and value together). If you want to run your query without QueryBuilder, you must escape your parameters manually. You can get more information about it in Codeigniter documentation:

https://www.codeigniter.com/userguide3/database/queries.html#escaping-queries