Escaping Characters from MySQL from PHP Framework – Education Career Blog

I was wondering if when using the database library in Codeigniter there was a way to automatically escape all the inputs to prevent injection. I know I can use mysql_real_escape_string() to do it, but I wondered it this was already setup to do this automatically, if not are there any frameworks that have this included?

Thanks!

,

In order to use prepared statements, you can simply use query bindings with CodeIgniter.

$query = 'SELECT id, name FROM user WHERE name = ?';
$bind = array('Jake');
$this->db->query($query, $bind);

More info found here.

,

CakePHP runs all model queries through its own methods, if you use the model methods it automatically sanitizes any data passed to the query for you. i.e

$options'conditions' = array('Product.status'=>$status);
$this->Product->find('first',$options);

,

Right, pretty much all frameworks that implement any sort of database abstraction/ORM layer will automatically mysql_real_espace your queries. If you don’t want to use an entire framework, consider a generic ORM library like Propel or Doctrine. Alternatively, look into prepared statements.

Leave a Comment