Codeigniter SQL Injection Codeigniter SQL Injection codeigniter codeigniter

Codeigniter SQL Injection


php mysql codeigniter sql-injection

I think it's going to be like this.

www.site.com?foo=1 OR 1 = 1 union select * from user_phone where user_phone.id_user = user.id

php mysql codeigniter sql-injection

CI comes with functions to escape variables for exactly this reason.

$foo = $this->input->get('foo');$foo = $this->db->escape($foo);$sql = "SELECT * FROM user WHERE id = {$foo}"; $foo = $this->db->query($sql);echo '<pre>';print_r($foo->result());echo '</pre>';die();

php mysql codeigniter sql-injection

You should be able to bind your query using something like this:

$sql = "SELECT * FROM user WHERE id = ? AND name = ?"; $foo = $this->db->query($sql, array('foo', 'bar'));

As for getting data from other tables, you'd just need to construct a more elaborate sql query

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last