prevent sql injection in codeigniter

When it comes to preventing SQL injection in PHP, we usually go with mysql_real_escape_string() function with some other prevention steps, but this is not the case with Codeigniter. As we know Codeigniter is one of the most powerful PHP framework available today, so we can relay on CI for prevention of SQL injection as well. Codeigniter provides inbuilt functions and libraries to achieve this task with easy and efficiently.

There are two easy methods to prevent SQL injections in Codeigniter application, and please make a habit to do so, as its a very good security practice:

1) Escaping Queries:
Example:

Here $this->db->escape() determines the data type so that it can escape only string data.
It also automatically adds single quotes around the data so you don’t have to do that as well.

2) Query Bindings :

This method of prevention is recommended and is very easy to implement. Consider following example:

The question marks in the query are automatically replaced with the values in the array in the second parameter of the query function.
Secoundly, using this you don’t have to escape the values manually as it will automatically do that for you.

I guess, it become very very easy to prevent SQL injection in codeigniter application, so please use these practices in your projects so that you can build a strong app…

References:

http://ellislab.com/codeigniter/user-guide/database/queries.html

– prevent sql injection in codeigniter–