CodeIgniter 是否会自动防止 SQL 注入? [英] Does CodeIgniter automatically prevent SQL injection?

问题描述

我刚刚继承了一个项目，因为最后一个开发人员离开了.该项目是基于 Code Igniter 构建的.我以前从未使用过 Code Igniter.

I just inherited a project because the last developer left. The project is built off of Code Igniter. I've never worked with Code Igniter before.

我快速浏览了代码，我看到控制器中的数据库调用如下:

I took a quick look at the code and I see database calls in the controller like this:

$dbResult = $this->db->query("SELECT * FROM users WHERE username = '".$_POST['user_name']."'");

或者像这样调用:

$dbResult = $this->db->query("SELECT * FROM users WHERE username = '".$this->input->post('username')."'");

代码点火器是否会自动清理这些查询以防止 sql 注入?

Does code igniter automatically sanitize these queries to prevent sql injection?

推荐答案

CodeIgniter DOES ESCAPE 您在使用 $this->db->query 方法时传递的变量.但仅当您将变量作为绑定传递时，这里是一个示例:

CodeIgniter DOES ESCAPE the variables you pass by when using the $this->db->query method. But ONLY when you pass the variables as binds, here's an example:

$dbResult = $this->db->query("SELECT * FROM users WHERE username = ?", array($this->input->post('username')));

还要记住 $_POST 不应该比 $this->input->post 更受欢迎，因为它的作用是检查变量是否存在以防止错误.

Also remember that $_POST shouldn't be preferred over $this->input->post since what it does is check if the variables exists to prevent errors.

这篇关于CodeIgniter 是否会自动防止 SQL 注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！