Escaping SQL Queries in Codeigniter

Escaping SQL queries in Codeigniter

Another way is to use Query Binding which automatically escapes all the values:

$sql = "INSERT IGNORE INTO my_table(lat, lng, date, type) VALUES (?,?,?,?);"; 
$this->db->query($sql, array($data['lat'], $data['lng'], $data['date'], $data['type']));

SQL query escaping + codeigniter

$sql = "SELECT * FROM `user_language` WHERE `user_id` = " . $this->db->escape($id);

if you want to select the language of the user given by $id it should work that way.

dealing with numbers an alternative would be:

$sql = "SELECT * FROM `user_language` WHERE `user_id` = " . (int)$id;

codeigniter does also support prepared statements as "query bindings":

The secondary benefit of using binds is that the values are
automatically escaped, producing safer queries. You don't have to
remember to manually escape data; the engine does it automatically for
you.

$this-db-escape() function adding single quote in codeigniter

When you use the query builder class to construct your queries the values are escaped automatically by the system so you don't have to use the function $this->db->escape. In your case, each value was escaped by the escape function and the system did it again for each value when executing the insert function.

Now if you want to run custom queries using the function $this-db->query it is a good practice to escape the data like bellow: 

$sql = "INSERT INTO table (column) VALUES(".$this->db->escape($value).")";
$this->db->query($sql);

codeigniter escaping queries

This is a bug in CodeIgniter 3.0.0 and 3.0.1. It was fixed in version 3.0.2, and the current stable version is 3.0.3 ...

All you need to do is update your CI setup.

Escape the order by query in codeigniter

Use below code:

$this->db->_protect_identifiers = FALSE;

$this->db->order_by('IFNULL(update_date,create_date)', 'DESC', false);

$this->db->_protect_identifiers = TRUE;

Codeigniter - Automatically escape SQL queries

Referring to here http://codeigniter.com/user_guide/database/queries.html

You may consider using the Query Bind which is at the bottom of the url.
Try to practice binding queries it is faster and cleaner way of doing.

Bind Queries Example:

$sql = "SELECT * FROM some_table WHERE id = ? AND price = ?"; 

$this->db->query($sql, array(3, 100));

Note** with binding method it is always automatically escape.

How to prevent automatically escaping in $this-db-update query in Codeigniter

I structured one solution, though its not a full version but it may help for other users.

In my case I wanted to escape just one column's value so I put that column in set function and all other array in update function like

$this->db->set("col1","value1",FALSE);
$this->db->update("tablenme",$allotherdataarray,$wherearray);

It worked for me.


Related Topics

Flex/Grid Properties Are Deleted in Gmail Email

PHP MySQL - When Is the Best Time to Disconnect from the Database

How to Iterate by Row Through a MySQL Query in PHP

Incrementing Numbers Starting from 0000 in PHP

Asynchronous Http Requests in PHP

How to Convert a PHP Query String into a Slash-Based Url

Passing Variable from Controller to View in Codeigniter

PHP Error: Notice: Undefined Index:

Increment Behavior on Strings - PHP Easter Egg

How to Display PHP Code in HTML

Warning Problem: Expects Parameter 1 to Be MySQLi_Result

PHP Twitter API - How to Pull in Multiple Users Tweets

Set Maximum Execution Time in MySQL/Php

PHP Regex Get Text Between Bbcode Tags

How to Verify the Requesting Server in PHP

Url Querystring with a PHP Include

Undefined Offset When Using PHP Explode()

How to Handle Newlines in JavaScript? (From PHP)


Leave a reply



Submit