How to use CodeIgniter to prevent malicious SQL injections

Should you escape input when using CodeIgniters active record class?

Do you need to worry about MySQL injection vulnerabilities when using CodeIgniter?

Yes, yes you do.

It is of course good security practice. To escape your data before submitting it into your database.

CodeIgniter provides three helpful methods. Which are part of it’s database library to stop SQL code injection.

$this->db->escape()
$this->db->escape_str()
$this->db->escape_like_str()

CodeIgniter also provides a method to to use Bindings. Whereby the question marks are replaced by the data parameters. That you pass to the query function.

For example:

$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?";
$this->db->query($sql, array(3, 'live', 'Rick'));

This way they are escaped so you don’t have to escape them. Resulting in safer queries for you. Stopping attackers from injecting malicious SQL.

Refer to the last two sections of this page of the CodeIgniter manual.

If you liked this tip, be sure to subscribe below and be the first to get my next tip…

Why you shouldn’t use the CodeIgniter PHP framework… directly

There is a lot of discussion about which is the “Best PHP framework” and there are many good ones to choose from Laravel, Symfony, CodeIgniter, CakePHP, Yii, to name a few off the top of my head.  There are many different answers about which may be “best” depending on your needs and the use case.

Personally I’ve almost always used CodeIgniter, but never directly!  I did try Cake and Yii and read up on the other two I’ve mentioned, but never used them either yet.

And to add fuel to the fire, I think you should consider not using CodeIgniter directly, but instead use on of the “frameworks” built on top of and extending CodeIgniter.

To name but a few:

Personally I’ve used Bonfire a couple of times and GoCart many times.  I’ve found GoCart a great framework (because it’s built on top of CodeIgniter).  It’s actually designed as a lightweight e-commerce platform with a basic lightweight CMS.  However I’ve never really used all the features it comes with, instead it gives me a framework/platform to quickly build web applications on top of.  I can make use of it’s user management system straight away, I don’t need to build my own.  It’s also Bootstrapped, which is all that I need to quickly build clean and functional web apps.

I liken the framework choice to a choice about cars, you can ask what’s the best car for under $25,000 and you might be able to come up with a choice of a three of four, but all have slightly different advantages and options.  Then next years models will come out and there will be new choices, there may even be a new manufacturer with a brand new model…

Sometimes though it’s best stick with the tried and tested frameworks, just as car manufactures stick with their tried and tested “frameworks”.  The framework that makes an Audi A3, also makes a VW Golf as it does a SEAT and a Skoda.

So consider the above if you haven’t already looked into them.  There may well be similar offerings built on top of Laravel and Symfony which I haven’t investigated yet.

Whilst writing this, it’s made me think maybe I really should check out CodeIgniter on it’s own.  What frameworks do you use? Let me know in the comments below…