Security in the codeigniter
If you're using the Active Record class for DB interaction the data will be escaped automatically:
Beyond simplicity, a major benefit to using the Active Record features is that it allows you to create database independent applications, since the query syntax is generated by each database adapter. It also allows for safer queries, since the values are escaped automatically by the system.
If not and you are manually running queries, you'll need to escape it yourself.
Some advice on your function:
public function view( $id ){ $this->load->model('news_model'); $this->news_model->get_by_id( $id ); // ...}
If $id
is not present in the URL, you will get error notices. Set a default value:
public function view( $id = NULL )
Then check the value in your controller. Example:
if ( ! $id){ redirect('somwhere/else');}
Also, make sure you get a result before continuing (I assume your model returns false
here if no record is found):
$record = $this->news_model->get_by_id( $id );if ( ! $record) // redirect with error message or something
You can validate the $id
s type or integrity as much as you want, but for simplicity I would just pass it over to the model and return false
if no record was found.
Even if you not running active records automatic escaping is provided. You just need to query the db like this:
$data=array($id, $name);$this->db->query("SELECT * FROM table WHERE id=? OR name=?", $data);