0

I m using PHP CodeIgniter with CRUD MY_Modal. i want to prevent SQL Injection. How I deal with. 

$condition_array=array('email'=> $this->input->post('user_id'),'password' => $this->input->post('password'),);
$user= $this->Service_seeker_m->get_by($condition_array,TRUE);

in this way i m calling the my model(Service_seeker_m) which is include MY_Modal(CRUD).

can any body help me to solve my query. thanks

Jonathan
  • 6,507
  • 5
  • 37
  • 47
Chandan Soni
  • 21
  • 4
  • This code able to avoid sql injection. What else you want?? – kishor10d Aug 01 '17 at 11:11
  • R u sure. it means no body can hamper the database by SQL Injection – Chandan Soni Aug 01 '17 at 11:18
  • have you tried sql injection on given code?? The query escaping already done with codeigniter active records queries. – kishor10d Aug 01 '17 at 11:20
  • Thanks for ur suggestion. yes i have tried but i want to sure. is there any other way to prevent. So i will free. – Chandan Soni Aug 01 '17 at 11:26
  • It will depend on how you wrote the query in `Service_seeker_m ->get_by()`. We need to see the code inside that function. – hyubs Aug 01 '17 at 11:27
  • These references might also help you: [link1](https://stackoverflow.com/questions/3797613/sql-injection-and-codeigniter?rq=1), [link2](https://stackoverflow.com/questions/3917831/prevent-sql-injections-in-codeigniter?rq=1) – hyubs Aug 01 '17 at 11:32
  • Actually i m using general CRUD Modal of CodeIgniter where get_by() function is define. – Chandan Soni Aug 01 '17 at 11:44

1 Answers1

0

Here is some suggestion regarding your query.

escaping-queries:

Here is the link to documentation

It’s a very good security practice to escape your data before submitting it into your database. CodeIgniter has three methods that help you do this:

  1. $this->db->escape() This function determines the data type so that it can escape only string data. It also automatically adds single quotes around the data so you don’t have to:

    $sql = "INSERT INTO table (title) VALUES(".$this->db->escape($title).")";

  2. $this->db->escape_str() This function escapes the data passed to it, regardless of type. Most of the time you’ll use the above function rather than this one. Use the function like this:

    $sql = "INSERT INTO table (title) VALUES('".$this->db->escape_str($title)."')";

  3. $this->db->escape_like_str() This method should be used when strings are to be used in LIKE conditions so that LIKE wildcards (‘%’, ‘_’) in the string are also properly escaped.

    $search = '20% raise';
$sql = "SELECT id FROM table WHERE column LIKE '%" .
$this->db->escape_like_str($search)."%' ESCAPE '!'";

The escape_like_str() method uses ‘!’ (exclamation mark) to escape special characters for LIKE conditions. Because this method escapes partial strings that you would wrap in quotes yourself, it cannot automatically add the ESCAPE '!' the condition for you, and so you’ll have to manually do that.

Query-bindings

Here is the link to documentation It is described in brief to understand properly.

always-a-learner
  • 3,671
  • 10
  • 41
  • 81