I was wondering if when using the database library in Codeigniter there was a way to automatically escape all the inputs to prevent injection. I know I can use mysql_real_escape_string() to do it, but I wondered it this was already setup to do this automatically, if not are there any frameworks that have this included?
In order to use prepared statements, you can simply use query bindings with CodeIgniter.
$query = 'SELECT id, name FROM user WHERE name = ?'; $bind = array('Jake'); $this->db->query($query, $bind);
CakePHP runs all model queries through its own methods, if you use the model methods it automatically sanitizes any data passed to the query for you. i.e
$options'conditions' = array('Product.status'=>$status); $this->Product->find('first',$options);
Right, pretty much all frameworks that implement any sort of database abstraction/ORM layer will automatically
mysql_real_espace your queries. If you don’t want to use an entire framework, consider a generic ORM library like Propel or Doctrine. Alternatively, look into prepared statements.