How to use CodeIgniter to prevent malicious SQL injections

Should you escape input when using CodeIgniters active record class?

Do you need to worry about MySQL injection vulnerabilities when using CodeIgniter?

Yes, yes you do.

It is of course good security practice. To escape your data before submitting it into your database.

CodeIgniter provides three helpful methods. Which are part of it’s database library to stop SQL code injection.

$this->db->escape()
$this->db->escape_str()
$this->db->escape_like_str()

CodeIgniter also provides a method to to use Bindings. Whereby the question marks are replaced by the data parameters. That you pass to the query function.

For example:

$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?";
$this->db->query($sql, array(3, 'live', 'Rick'));

This way they are escaped so you don’t have to escape them. Resulting in safer queries for you. Stopping attackers from injecting malicious SQL.

Refer to the last two sections of this page of the CodeIgniter manual.

If you liked this tip, be sure to subscribe below and be the first to get my next tip…

Leave a Reply