CodeIgniter是否自动阻止SQL注入？ [英] Does CodeIgniter automatically prevent SQL injection?

问题描述

我刚刚继承了一个项目，因为最后一个开发者离开了。该项目是由代码点火器构建的。我以前从来没有使用过代码Igniter。

我快速看一下代码，我看到控制器中的数据库调用，如下所示：

  $ dbResult = $ this-> db-> query（SELECT * FROM users WHERE username ='。$ _ POST ['user_name'] 。'）; 
  

或调用：

  $ dbResult = $ this-> db-> query（SELECT * FROM users WHERE username ='。$ this-> input-> post（'username'）。 '）; 
  

代码igniter是否自动清理这些查询以防止sql注入？

<当你使用 $ this-> db->查询时，使用CodeIgniter来传递你所传递的变量。方法。但是只有当你传递的变量作为绑定，这里是一个例子：

  $ dbResult = $ this-> db-> query（SELECT * FROM users WHERE username ='？'，array（$ this-> input-> post（'username'）））; 
  

还要记住， $ _ POST 优先于 $ this-> input-> post ，因为它是检查变量是否存在以防止错误。

I just inherited a project because the last developer left. The project is built off of Code Igniter. I've never worked with Code Igniter before.

I took a quick look at the code and I see database calls in the controller like this:

$dbResult = $this->db->query("SELECT * FROM users WHERE username = '".$_POST['user_name']."'");

or calls like this:

$dbResult = $this->db->query("SELECT * FROM users WHERE username = '".$this->input->post('username')."'");

Does code igniter automatically sanitize these queries to prevent sql injection?

解决方案

CodeIgniter DOES ESCAPE the variables you pass by when using the $this->db->query method. But ONLY when you pass the variables as binds, here's an example:

$dbResult = $this->db->query("SELECT * FROM users WHERE username = '?'", array($this->input->post('username')));

Also remember that $_POST shouldn't be preferred over $this->input->post since what it does is check if the variables exists to prevent errors.

这篇关于CodeIgniter是否自动阻止SQL注入？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！