Escaping Characters from MySQL from PHP Framework – Education Career Blog

I was wondering if when using the database library in Codeigniter there was a way to automatically escape all the inputs to prevent injection. I know I can use mysql_real_escape_string() to do it, but I wondered it this was already setup to do this automatically, if not are there any frameworks that have this included?



In order to use prepared statements, you can simply use query bindings with CodeIgniter.

$query = 'SELECT id, name FROM user WHERE name = ?';
$bind = array('Jake');
$this->db->query($query, $bind);

More info found here.


CakePHP runs all model queries through its own methods, if you use the model methods it automatically sanitizes any data passed to the query for you. i.e

$options'conditions' = array('Product.status'=>$status);


Right, pretty much all frameworks that implement any sort of database abstraction/ORM layer will automatically mysql_real_espace your queries. If you don’t want to use an entire framework, consider a generic ORM library like Propel or Doctrine. Alternatively, look into prepared statements.

Leave a Comment