1

From what I understand using $this->db->insert() escapes the values:

http://codeigniter.com/user_guide/database/active_record.html#insert

Note: All values are escaped automatically producing safer queries.

But when I look into mysql, my inputs are not escaped, is it for some reason removed some how?

Worried about sql injections here, thats why I'm asking.

busytraining
  • 723
  • 8
  • 14

2 Answers2

2

When you escape a string for SQL statements it doesn't necessarily mean that you should see backslashes added when you look into the data later. It means that certain characters will be escaped and the SQL statement will run without any errors. Try inserting data with mysql_real_escape_string

LINE: 557 https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Input.php

if ( ! is_php('5.4') && get_magic_quotes_gpc())
{
    $str = stripslashes($str);
}

And then

LINE: 285 https://github.com/EllisLab/CodeIgniter/blob/develop/system/database/drivers/mysql/mysql_driver.php

$str = is_resource($this->conn_id) ? mysql_real_escape_string($str, $this->conn_id) : addslashes($str);

The string is passed through mysql_real_escape_string or addslashes. Hence, we can say that safety measures against SQL injections are taken into account.

  • Yeah mysql_real_escape_string and htmlspecialchars escapes the values and inserts them into the database with (\\). But I'm wondering if codeigniter does escape it but does not show it in the database. – busytraining Jun 24 '12 at 03:26
  • If that's the case you must be running a PHP version older than 5.3 and enabled **magic_quotes_gpc** which is probably considered by CodeIgniter and passed through **stripslashes** before calling **mysql_real_escape_string**. –  Jun 24 '12 at 03:41
  • I got curious and looked into CodeIgniter. It turns out that my guess is right. Editing the post now. –  Jun 24 '12 at 04:00
  • Yeah you are right about the old version. I turned off magic_quotes_gpc and still have the same issue, interested in your edit :) – busytraining Jun 24 '12 at 04:05
  • Yeah thanks, I'm just looking at that now too. Would the result be the same with no values having \\ when inserted into the database with php 5.4 using $this->db->insert()? – busytraining Jun 24 '12 at 04:18
  • Yes, it will be the same. Because the input is only passed through **stripslashes** if the PHP version is not 5.4 and **get_magic_quotes_gpc** returns true. **get_magic_quotes_gpc** won't return true for PHP 5.5 because **magic_quotes_gpc** is removed as of PHP 5.4. –  Jun 24 '12 at 04:24
  • Thank you very much for the help and quick replies :) – busytraining Jun 24 '12 at 04:37
0

BY "escaped" they mean replacing this:

SELECT * FROM table1 WHERE field1 LIKE "some string with " quotes"

for this:

SELECT * FROM table1 WHERE field1 LIKE "some string with \" quotes"

If you want to make sure your strings are escaped before saving it, consider using the $this->db->escape* methods: http://codeigniter.com/user_guide/database/queries.html

Also, check:

Community
  • 1
  • 1
dmmd
  • 2,938
  • 4
  • 33
  • 41
  • Yeah the only problem I'm having is that when I actually do insert values into the database I do not see the escaped version. I kind of prefer for it to be that way. Just looking for confirmation that it actually escapes so sql injection doesn't happen. I've been reading here that you should escape output, not input. And with xss_clean, some people here are against it and I want people to submit things like or – busytraining Jun 24 '12 at 04:20