1

My program failed the security scannning for sql injection. The following is one of my function to insert data into db.. Please advice how should I modify my code to prevent SQL injection. Thanks in advance.

public function set_timeline() {
    $this->load->helper('url');
    $this->load->helper('form');
    $data = array(
        'fiid' => $this->input->post('fiid'),
        'project_id' => $this->input->post('project_id'),
        'testing' => $this->input->post('testing'),
        'start_date' => $this->input->post('start_date'),
        'end_date' => $this->input->post('end_date'),
        'description' => $this->input->post('description'),
        'project_progress' => $this->input->post('project_progress'),
        'tester' => $this->input->post('tester'),
        'status' => $this->input->post('status')
    );

    $this->db->insert('timeline',$data);

    if ($this->db->affected_rows() > 0) {
        echo '<script>alert("Timeline Added Successfully"); window.history.back(); </script>';
    }
    else {  
        echo '<script>alert("Timeline already exist!"); window.history.back();</script>';
    }                       
}
Julie
  • 313
  • 6
  • 18
  • 1
    Possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Manuel Allenspach Mar 10 '17 at 11:34
  • 1
    You sure it's this function that's creating the failure? In theory db->insert() already escapes the data for you, see: http://www.codeigniter.com/user_guide/database/query_builder.html#inserting-data – Pacio Mar 10 '17 at 11:41
  • 2
    @Manu: I think the possible duplicate is : [Does CodeIgniter automatically prevent SQL injection?](http://stackoverflow.com/questions/1615792/does-codeigniter-automatically-prevent-sql-injection) – fustaki Mar 10 '17 at 11:41
  • 1
    @fustaki That's for using the db->query() method which just passes raw sql to the db, insert() does escape it – Pacio Mar 10 '17 at 11:45
  • You can always echo $this->db->last_query() to investigate actual output. – qwertzman Mar 10 '17 at 12:11
  • meaning my codes are ok?.. weird.. why i failed the security scanning?.. i got response.. vulnerability for sql injection.. All my insert/update function uses the same method as i show above.. :/ – Julie Mar 10 '17 at 15:44
  • Thanks @fustaki .. – Julie Mar 10 '17 at 15:45
  • thanks guys.. I'll look into it.. – Julie Mar 10 '17 at 15:45
  • The scanning vendor should be able to give you the exact URL and data they found to be vulnerable. Will help in tracking it down. Note that these things *do* have some false positives. – ceejayoz May 21 '17 at 23:44

0 Answers0