在codeigniter中防止SQL注入 [英] Prevent SQL injections in codeigniter

问题描述

在我的项目中，我使用$ this-> input - >（get | post）将数据传递给模型。在模型中，我总是使用活动记录。
这是否足以防止sql注入？

In my project I use $this->input->(get|post) to pass data to models. In models I always use active records. Is this enough to prevent sql injections ?

推荐答案

不，不是 。 修改：是，它没有看到您对使用有效记录的评论。你需要使用PHP或CodeIgniter的转义函数手动转义你的输入，或者你应该使用CodeIgniter的查询绑定或者你可以使用CodeIgniter的Active Record类。我喜欢做查询绑定，因为它a）使我的查询看起来更好，b）确保我的所有输入在MySQL中运行之前被清除。

No, it isn't. Edit: Yes it is...didn't see your comment about you using active records. You either need to escape your inputs manually using PHP's or CodeIgniter's escaping functions or you should be using CodeIgniter's query bindings or you can use CodeIgniter's Active Record class. I prefer to do the query bindings as it a) makes my queries look nicer and b) ensures that all of my inputs are cleansed prior to being run in MySQL.

a href =http://ellislab.com/codeigniter/user_guide/database/queries.html =nofollow> http://ellislab.com/codeigniter/user_guide/database/queries.html

http://ellislab.com/codeigniter/user_guide/database/queries.html

这样工作：

$qStr = "SELECT * FROM students WHERE id=?";
$q = $this->db->query($qStr, array($id);

b $ b

CodeIgniter会识别你的变量是什么类型的数据，并且相应地包装它。也就是说，如果它是一个字符串，它会把' c $ c>'在SQL中的转义值，这是你需要确保用户不能注入任何恶意。

CodeIgniter will recognize what type of data your variable is, and wrap it accordingly. That is, if it's a string, it will put ' and ' around the escaped value in the SQL, which is what you need to ensure that users can't inject anything malicious.

这篇关于在codeigniter中防止SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！